With all the security holes, people actually prefer to use sh1tty libraries like PHP/smarty which absolutely leave your server to be rooted if permissions aren't set up perfectly.
As for Java/Spring/Beans, JSTL is way better because you can define directives and all the default JSTL directives are open.
If somebody is using XSLT, it's because it's a years old application and supporting those types of apps is no fun at all. It's usually sh1tty work a lead developer assigns people who he or she doesn't like from my exp. As a developer you want to do something new and challenging and that will affect a lot of people.