It's amazing that Sea Monkey, Palemoon, and all the other forks which support XUL have managed to do so securely with incomparibly smaller teams. Multiple proofs of the falsehood of your claims already exist.
Mozilla got rid of XUL because it wouldn't work with the multi-process model of Chrome they were copying in order to speed up the browser for running complex javascript applications. The security justifications were nonsense. The real security problems are in supporting all the new attack surfaces that modern browsers do in the form of exposing bare metal (or just above) functionality for acting as an OS (webgl, websockets, etc) instead of a browser.
Mozilla got rid of XUL because it wouldn't work with the multi-process model of Chrome they were copying in order to speed up the browser for running complex javascript applications. The security justifications were nonsense. The real security problems are in supporting all the new attack surfaces that modern browsers do in the form of exposing bare metal (or just above) functionality for acting as an OS (webgl, websockets, etc) instead of a browser.