Yeah, frameworks that use raw PHP files as views at least have that as an excuse. But the cost of using a simple template engine with good caching support seems to be minimal compared to the benefit of XSS prevention. CodeIgniter, for example, can convert short tags to full PHP tags if short tags are turned off in php.ini. They might as well wrap htmlspecialchars() around every {$var} while they're at it.

Non-PHP frameworks, on the other hand, really have no excuse.