>> The security issue is a valid question.
Not really. WebGL, like OpenGL, Glide or D3D is just an API abstraction. The way MS would likely implement WebGL (or WebD3D) is as a "wrapper" layer that would re-interpret all the WebGL calls to another lower level API - essentially, a shim would exist that would use lower level APIs, but not expose them. The layer that deals with the WebGL calls can be as hard as the engineers make it - there is no requirement in the WebGL spec that the API provide unfiltered access to lower level system APIs.
What MS is saying is actually just not factually accurate. I'm pretty surprised more haven't caught on to that.