How many in-the-wild attacks did you see using XUL from extensions that were in the curated addons ecosystem, i.e not downloaded and manually installed via extra steps a novice is unlikely to go through?
XUL allows too many modification for browser. It increases attack surface, and it makes hard Firefox developer to modify Firefox's internals to improve things.
