They do have access to them. The lead developer and project owner has sec bug access in bugzilla.
But vulnerabilities in newer Mozilla have over time become less and less relevant in Pale Moon's codebase, which led to the latter dropping the tracking of how many Mozilla security patches have been applied in the release notes (starting with 33.0.1).
Perhaps it’s secure enough for now due to its obscurity.