For comparison, NIST NVD lists 445 CVEs for Acrobat, or at least 17 per year since introduction. However CVEs haven't been maintained since the early 90s, so that number should be much higher. I think pdf.js does just fine.
pdf.js does a lot less, of course. Really you should compare Firefox to Acrobat, as they are both rich media rendering apps with a lot of functionality.
One of the points of something like pdf.js is that in most cases you don't need all that extra fluff. You just want to look at some PDF. So doing less is exactly what allows pdf.js to be (more) secure.
The wording was confusing for me too. At first reading I understood it as saying CVEs were no longer being issued for Acrobat, which definitely isn't the case. I assume the intended meaning was that Acrobat was first released in 1993[0], but the first CVE was CVE-1999-0001 (source: downloaded the raw dump from [1], ran grep -m1 CVE-....-0001).
But, I'm doubtful there would have been all that many CVEs issued for Acrobat from 1993-1998. There was only one CVE that mentioned "Acrobat" each year from 1999-2001, and three in 2002. The more recent years are the fun ones - but I have no idea whether that's a result of freshly-introduced exploitable bugs or just increased attention.
Not for long if this keeps up…