This is mostly not an issue in browsers so much as non browser implementations. Its not even really an issue in modern implementations with better defaults.

What it did do is create a perception that XML is insecure. This hastened its demise.

> It's trivial to mitigate security risk arising out the use of entities.

Obviously. However in practise, historically most implementations did not. At least not by default.

XML spec bears some responsibility for this for not being explicit about suggesting secure defaults.

Regardless, JSON won partially because it didnt have the attack surface, so people didn't have to worry. XML being theoretically easy to secure means nothing when practically implementations made it difficult.