curl_exec is absolutely required by Facebook, and there is no way around it. cURL is a way to fetch or POST data to a remote URL. That's how all of Facebook works to get user information, authenticate, etc.
curl_exec, by itself, is not a security issue. However, it can be abused by poorly written (or malicious) extensions if they open up vulnerabilities that let arbirtary users run the cURL function calls (think about downloading remote 'bad' files to your server).
Disabling by default isn't a bad thing. Securing things that aren't required is generally good security practices. Open up those restrictions when necessary is what needs to be done as you find needs for those features though, like cURL.
As for Wordpress, they didn't remove curl_exec. In 2.7, they implemented an automatic updating and version check mechanism that used curl_exec. Because it's so popular to have that disabled, when users moved to 2.7, there were a lot of users getting "curl_exec has been disabled on this server" errors. In 2.7.1, Wordpress implemented an alternative method to curl_exec... not because of security issues, but because of the support required to use it.
Finally, for Kloxo, I've never used it, but they added the curl_exec disabling about 7 months ago, per the bug post below:
project.lxcenter.org/issues/435#note-13
It's also noted in that post:
but they became configurable by admin now (per domain for suphp mode). I also excluded some other advanced php settings that imho should belong to the admin only. Please test and when approved merge with 6.1.x
So it should be something you configure.. but don't ask me how
Hope that all helps,
Alex