curl_exec is absolutely required by Facebook, and there is no way around it. cURL is a way to fetch or POST data to a remote URL. That's how all of Facebook works to get user information, authenticate, etc.
curl_exec, by itself, is not a security issue. However, it can be abused by poorly written (or malicious) extensions if they open up vulnerabilities that let arbirtary users run the cURL function calls (think about downloading remote 'bad' files to your server).
Disabling by default isn't a bad thing. Securing things that aren't required is generally good security practices. Open up those restrictions when necessary is what needs to be done as you find needs for those features though, like cURL.
As for Wordpress, they didn't remove curl_exec. In 2.7, they implemented an automatic updating and version check mechanism that used curl_exec. Because it's so popular to have that disabled, when users moved to 2.7, there were a lot of users getting "curl_exec has been disabled on this server" errors. In 2.7.1, Wordpress implemented an alternative method to curl_exec... not because of security issues, but because of the support required to use it.
Finally, for Kloxo, I've never used it, but they added the curl_exec disabling about 7 months ago, per the bug post below:
project.lxcenter.org/issues/435#note-13
It's also noted in that post:
but they became configurable by admin now (per domain for suphp mode). I also excluded some other advanced php settings that imho should belong to the admin only. Please test and when approved merge with 6.1.x
So it should be something you configure.. but don't ask me how
Hope that all helps,
Alex
Problems with 4.1.0 - didn't get the application
At least if you are not the server admin. For example, I have the option on a VPS running with Kloxo, however I don't have it on a shared/reseller hosting with it. The worst is that it can't be enabled by "user", but only "per domain". So when you have several domains, then you need to ask the hosting provider to enable it for each.