Because it was written in C, libxml2's CVE history has been dominated by use-after-free, buffer overflows, double frees, and type confusion. xmloxide is written in pure Rust, so these entire vulnerability classes are eliminated at compile time.

https://gitlab.gnome.org/GNOME/libxml2/-/commit/0704f52ea4cd...

Doesn't seem to have shut down or even be unmaintained. Perhaps it was briefly, and has now been resurrected?

If by flaws you mean the security researchers spamming libxml2 with low effort stuff demanding a CVE for each one so they can brag about it – no, I don’t think anybody can fix that.