Perhaps XML and JSON are secure by virtue of the fact that their built-in security features can never be broken.

Not immediately obvious from the text indeed, but I'm certain they mean (the joy that is) XMLSEC and JWS here. Not sure about JWS but XMLSEC certainly has similarities to the format described here: you define exactly what parts are included in the signature.