I'm confused as to why someone would even want them to change the codebase - is this just an example of the "newer is better" problem we have here in tech? Is there something glaringly obvious about Rust that would make the effort worthwhile?
Web browsers are almost unique in how hard it is to make them resistant enough to attacks to fully protect the interests of their users. I know that when my local copy of Firefox got a malware infection, I reacted by switching to Chrome. That was about 2.5 years ago, and I have yet to switch back.
(More on why I switched. I like to tweak things, and had gotten used to about 8 or so about:config customizations and a handful of Firefox extensions. The infection added tons of phoney about:config customizations, and it would have been tedious to identify which customizations were mine and which were the infection's. IIRC, if I had had a backup of my customizations unmixed with phoney customizations, I wouldn't have switched. I.e., basically I switched to avoid my having to learn how to back up my about:config settings and my choice of extensions. I recall spending some time with a search engine unsuccessfully trying to learn.)
TL;DR: Rust's concurrency guarantees made parallelizing CSS layout feasible. They tried it in C++ twice, and failed.
One of the early justifications for pursing Rust at all was security; an internal survey of security issues was done, and over half of them were memory-safety related. At the same time, browsers need speed. Traditionally, you get either speed or memory safety in a language; Rust gives you both.
Because within that codebase there's an untold number of exploitable memory errors which put users at risk. Browsers have critical security issues all the time.
A few of them. It won't stop logic errors (although enums help here) but it will prevent buffer overflows, use-after-free, some cases of type confusion, uninitialised reads, and a few other problems.
If you look at the CVEs for browsers, I would say a great majority is due to errors that would've been prevented in any memory safe language - not specifically Rust.
However due to the other requirements (like performance) and its adoption at Mozilla, Rust is a real contender.
Exactly, and besides, if you want to write secure software it is also mostly a development process thing, and not just what programming language you write it with.
But how much of that is the existing compositor, renderer or other components (that have been or will be replaced by Firefox Quantum components) and eventually be deprecated and removed?
That is an insane amount of code that would need to be rewritten, rechecked, retested and so on. Not going to happen anytime soon, if ever.