This article lists several resources that could be used to find information about any known security vulnerabilities in Thunderbird. Some of them may also apply to other Mozilla applications.
Mozilla has a web page for known vulnerabilites in Mozilla applications and another for security advisories. The Security center has alerts and announcements on security and privacy, and general tips. The Security project web page has links to many resources such as the "Security Review and Best Practices Guide" and a list of future security projects (which identifies some areas of concern).
The Rumbling edge charts weekly developments in Thunderbird builds. It can be a quicker way to monitor security bug activity than searching Bugzilla, especially if a new release is due within a couple of weeks.
The test case wish list at MozillaQualityAssurance indicates what functionality isn't tested by the QA team. Those areas (especially if they're new functionality) may have a disproportionate share of security bugs. For example, there are no encryption and digital signing test cases (when this article was written).
You can also search the release notes.