> In practice they led to fairly severe security vulnerabilities.

Well, that seems to not matter for the people writing YAML.

> XML, like HTML, has entities that can be expanded.

Lol! Of course I'd be wrong about that.

Expecting XML not to have a well known security vulnerability is a losing proposition.