We still haven't enabled expat in base/, because it's not audited enough yet... we `trust' it as an X11 library, but no-one has addressed the multiple security issues it may have.
Yes, we do know expat is a problem... we finally removed it from ports/ because it makes no sense to build it once. If you don't trust X11, you can install just a few pieces. expat is mostly independant from the rest. There are a lot of conflicting opinions there. In the end, the sensible solution is to audit libexpat and enable the version in source. The only issue is that no-one has had time to do that correctly yet.
