Yeah, an XML parser that allows invalid XML (tags must be closed, per the spec[1]) is pretty clearly a terrible choice for a security-sensitive purpose. Likely it was just oversight / accidental reuse, and it's a somewhat common error, but it's very much an engineering mistake and not an XML flaw.

[1] It's very clearly stated as item 2, in a 2-item list for well-formed-ness of documents: https://www.w3.org/TR/xml/#sec-well-formed