The first fruits of this attack surface reduction are now apparent – Firefox 18.104.22.168 and 22.214.171.124 both contain a fix to an arbitrary code execution buffer overflow in the SSL 2 code in NSS (security advisory). But in their normal configurations, Firefox 2 is immune to this attack because SSL 2 is turned off, whereas Firefox 1.5 is not.
So why are we taking the fix in Firefox 2 anyway? Partly because, dveditz tells me, some short-sighted webmasters, instead of upgrading their sites, have been telling their customers to re-enable SSL 2 (presumably by editing about:config!). Those webmasters have directly placed their users at unnecessary risk, which is IMO shameful.