- Silverlight is a plugin, which means that to all intents and purposes it's a native code executable. There is no point trying to prevent native code executables from calling native code, it just can't be done. Any security flaw in a native executable, be it Silverlight, Flash, Acrobat or any .exe is as risky as any other. This is why modern browsers allow you not to load executable code from iffy websites or, better yet, ban it entirely. By contrast, WebGL would be right inside HTML, there is no opt-in choice. Any power you grant to WebGL is granted to the entire web.
- WebGL doesn't solve real web problems, it's about graphics card manufacturers wanting to be able to sell high-end hardware to people who just want to surf the web. This is why blindingly obvious functionality like being able to put arbitrary HTML content on 3D surfaces is entirely ignored, because getting that working and usable is far harder than just exposing a stripped down portion of OpenGL.
- The spec itself contains security issues. Not purely implementation ones due to bugs, but fundamental security design problems, which are far harder (maybe even impossible) to resolve down the line. When pointed out to the Khronos group, the "fix" was to add more functionality to OpenGL instead to try and mitigate them (it didn't BTW). That's like discovering a design flaw in DirectX and suggesting you can fix it by changing GDI. It's just stupid.
For far more involved discussion, see the six and a half billion other threads on why WebGL is a mess.