Quick note wrt
“Sadly, most Java XML parsers have XXE enabled by default.”.
The reason for this is, I think, that this is what XML specification mandates: XML document processing should apply all entity expansion as directed.
And suppressing such expansion could be considered as non-compliance.
As a result some specifications (Stax on Java, for example; and probably SAX as well) mandate defaults that are not optimal from security perspective — that is, should only be used for trusted content, and never for xml generated by clients.
In practical terms I agree that defaults for this day and age defaults should be more conservative, since anyone who knows what XML entities are should probably be expected to enable their handling. I am just noting why defaults differ from your reasonable expectations.