Many of X security issues could be solved if they implement the Xenocara changes.

Note that this security vulnerability requires access to your X server, which on a modern Linux distribution requires either a compromised system to start with or a manually-reconfigured system that has the X server listening on a network-available socket. Such things do exist, the vulnerability is real and needs patching to prevent exploits in edge cases, but does not affect the vast majority of systems most people will ever see in their lives.

Anyway, this vulnerability reduces the usual level of in-built X11 security from "almost nothing" to "pretty close to none" so really, not a biggie. You still need to take other precautions to avoid the office joker from popping up xeyes on your screen and that won't change even with this problem fixed.

I like how there was a lot of "Compile against libbsd" in there.

You found me.

Not surprised.
Also it is not worth rewriting parts of X.Org in Rust since X is on the way out in favor of Wayland,
I think the best they can do is have a build option to compile a minimal X.Org version only suitable for XWayland that can't run independent.
A build option to compile a minimal, stripped down, barebones X.Org version without legacy garbage, deprecated stuff, unused stuff, and rarely used stuff.
A build option to compile a modern legacy-free X.Org even if breaks old GTK+ 1, Qt 2, Athena and Motif applications.

Actually xeyes are lame.
My first joke was decayscreen on an ssh connection 20 years ago. The guy knew about it, but he was convinced it would not work. It worked perfectly fine over his ssh from germany to my desktop in the netherlands. I was just arguing with him about the security of his X11 connection over ssh :-).
My second joke was xset dpms force off, which at that time made the relais in the monitor click very loud. If I didn't eject -t the cd drive it would have been complete (the eject gave it away :-( ).
My third joke was playing raunchy videos on the XV plane with color keying to a very bright white, so people wouldn't notice until they started an empty browser page. Especially fun when bosses are also walking around. Unfortunately XV planes have been abandoned 10 years ago on PC's. On armhf SoC's getting access to XV planes is even for the real owner a challenge.
My fourth joke was just randomly run xclip with underwear words, so when a developer was pasting some code... it would not compile.

This actually was an office challenge, as an admin department everybody had root rights to eachothers system. The essence was to obtain access without abusing admin rights.
(Actually everybody had access to eachothers systems using NIS but that did not include getting access to somebody's private files).

I can think of some bad pranks with revised versions of that XV plane joke. You can fake screenburn with a full-screen transparent window and a raunchy photo image, or better yet one that just looks raunchy on first sight.

Another one is to make to use a front-panel transparent borderless window to add fake dead pixels.

Then there is the old fake fly inside the monitor gag, that one still gets people to this day.

I think they should completely rebuild X11 more modular code. They can reuse a lot of the old code. Some of the rusty code can be moved to "legacy modules" that are only loaded as needed. The system won't even install them unless you have an application that uses them.

Some of the old routines should be shimmed out to new routines when it's easy, if not they should strip them to the unaccelerated raster or canvas versions, and use the newer acceleration on the final draw calls, while not accelerating for the old routines. This will minimize introducing bugs.

they should rewrite it in rust.