The fact that XML External Entity Processing is a category of vulnerability indicates how wrong your comment is. There's a lot of things wrong with XML, mostly that it's hugely complicated and a nightmare to write parsers for. JSON won because all of that complexity wasn't in it nor needed.