Broadly speaking, I would assume they exist in all versions, or at least that's the safe assumption anyway. Firefox doesn't incorporate the usual Microsoft attack vectors (Active-X) so one must assume the vulnerability is more likely than not to be an issue with FireFox or Mozilla rather than the OS it's run on.
There is a certain factor regarding the architecture itself; a vulnerability on Intel hardware is less likely to be a bug on PPC hardware simply because if it relies on certain hardware behaviour it's not going to work on the "wrong" one.
When the same application runs on the same hardware but on different OS's, well then any vulnerability that does not rely on the OS to exploit will work on both.
It still may be true that a FireFox vulnerability does rely on the OS (Windows has a significant issue with privilege escalation that doesn't exist on other platforms) but certainly that won't be true for every example.
Anyone can build insecure software. The best info on any vulnerability can be found in sites like US-CERT