Don't get me wrong. I don't dislike Firefox but my experiences with Firefox on OS X has been less than stellar compared to Chrome. Also, being an educational model iMac with an old C2D, Chrome runs noticeably faster than Firefox.
I haven't got any conclusive stats to hand, but I get the impression that Firefox performance is gradually improving. This is one example of an upcoming feature that should offer some performance improvements:
He is on a non-admin account and can only visit a few white listed sites that I've pre-screened. The chances of him getting hacked are basically zero and I don't have the money to replace a perfectly functional computer with a newer one just so it can run a more recent version of OS X.
He also loves the built-in applications like Photo Booth that lets him record own videos and apply silly special effects to send to the grandparents. So, moving to Linux or Windows is really a non-starter.
My white MacBook was in the same boat. I still use it as a media computer, so I formatted and installed Ubuntu Mate 15.04. If your son is just using the web browser, I doubt he'll notice the difference in OSes. I don't know how old he is, but it could be a fun weekend project for you guys.
If it were just the web browser I would have probably moved him to some incarnation of Ubuntu. Unfortunately, when it comes to applications like Photo Booth that are easily approachable by a 6 year old the situation becomes more complicated.
> chances of him getting hacked are basically zero
How do you know that? Your machine is probably still susceptible to POODLE.
He is on non-admin account doesn't mean the OS doesn't contain bugs that allow privilege escalation. And Apple is definitely not going to fix those bugs.
Flash can be upgraded independent of Chrome (and it's not entirely clear why you're worried about sites sending exploits via Flash but not about those sites using the numerous RCE exploits that have been released for 10.7 but not patched).
Yes, I know that Flash can be manually kept up to date. However, it's nice to have Google taking care of that issue via updates to Chrome.
Regardless, for me it's more about risk management. What's the more likely scenario? That an attacker compromises my internal network in order to launch attacks on my son's OS X box to compromise it via some known service exploit or an attacker serving malware that targets Flash vulnerabilities via a compromised host or ad network?
I tend to read more about the latter category than the former.
Why is that a shame? Firefox is a great browser.