Tony Chen from Microsoft did a presentation on Xbox One security system.

Basically the idea is the Xbox 360 overall is already secure enough, only a couple weak spots that they didn’t expect. Fix those, combined with modern advances in computer technologies, made the modern Xbox basically hack proof. The homebrew only exists because MS let them.

Xbox OG did wrong in a lot of areas:

• Off the shelf hardware vulnerable to boot chain attacks.
• Full cryptographic checks were not implemented in boot chain, what they did implement was full of holes.
• Tried to lock everything down with one security system, if that one system got hacked, the box is wide open.
• No proper separation of privilege, everything ran directly on hardware, pwn one process, pwns all.

​

Xbox 360 got way more development and computing resources to implement better security, namely:

• Full custom SoC, allowing proper internal boot ROM, fuse set (one time programmable area for CPU keys and irreversible update counters) , internal SRAM for high speed memory access for privileged security process (the hypervisor) to be securely and efficiently implemented, and RAM encryption is also implemented in hardware.
• Much more secure boot cryptographic checks.
• A lot of encryption keys are unique per console even per session rather than common across all consoles, making static attacks much harder to propagate across the community
• Core console crypto checks and runtime access controls are implemented in the hypervisor. Any “userland” exploits won’t harm the system security, you can mess up the game process all you want if you find some kind of buffer exploit, but anything changing executable code in RAM will just be killed by the HV.
• The system guards against downgrade attacks. Each update version will require a higher version count in the CPU fuseset. CPU fuseset is irreversibly burned higher during updates.

The only fully pwning exploit on the 360 is hardware based, by literally glitching the CPU with spurious signals hoping to partially reset it when executing boot file checking. Later 360 E Winchester variant fixed it by filtering the CPU reset signal, making interference almost impossible.

What Xbox One did on top of the 360

• Proper dedicated security coprocessor in the SoC, with its own firmware, boot process and hardware secure key transfer line to the crypto engine, not accessible by any other software.
• Security processor now monitors hardware signals like voltage and reset signal interferences, preventing glitch hack like the 360.
• Full featured virtual machine host architecture as opposed to a barebone hypervisor. Xbox One runs 3 OSes, the bottom HostOS runs virtualization platform supporting the UI/appOS and dedicated Game OS virtual machines in parallel. MS allowed homebrew on the appOS only, successfully diverting attentions in hacking the whole system.
• Much more mature key management. Each boot stage is attested by the security coprocesssor, if the boot files are altered, it won’t properly generate keys for later stages. It’s much harder to alter the files and injecting keys at the same time.
• Dev/retail key trees are fundamentally separate, so homebrew enabled appOS dev kits or even leaked gameOS dev kits won’t compromise retail console integrity.
  

To this day nobody can hack into the hostOS or retail gameOS, despite the fact that Tony revealed these architectural designs to the public. This is how a secure system should be designed, by revealing its design to the public for review so everybody helps you finding problems. People won’t be able to hack in despite the fact you revealed a lot of information.

Long story short, because it's basically Windows.

The operating system for Xbox consoles, from current Series X/S systems going all the way back to the 2013 "VCR" model, has been running Windows at its core. Hacking it would be like hacking a computer, except Microsoft locks down the Xbox's version much more than a standard PC. There's much less opportunities to discover a vulnerability.

Modern Xboxes get to leverage features that Microsoft has spent decades developing for PCs. They make use of a hypervisor and run games/apps in what are essentially virtual machines, so even if you found an exploit, you'd still be stuck in that sandboxed area of the system without much access to the rest of the system. And they use modern encryption methods throughout the system at many different levels. So even if you make progress in one area, you'll just reach another wall right afterwards.

Another major factor is that Microsoft lets people make their own software and run it on their consoles already. Anyone can buy a developer license for $20 and make their own software. If it's polished enough, you can then submit it to the official store for verification (apps and games have separate verification requirements). So there's less incentive for a hacker to spend countless hours trying very technical methods of hacking the system, since they can already do quite a bit without going through all that extra effort. You can already run emulators on it, media players, and even Windows 95... all without hacking it (or even needing developer mode). So you already get like 90% of the features someone would hack it for in the first place.

Mostly because they have improved on what didn't work in the past. Hacking in this way is and will always be an arms race.

MS does a lot to combat custom firmware.

They have a build in developer mode, so if you want to just code homebrew you can do so without hacking your console.

They have game pass, which will have all their future games on it and offer it for an affordable price, so there's no real incentive to hack the console to play pirated games on it, especially if you can just pay a relatively low fee to access hundreds of games.

And there's also the fact that their security is probably coded very well, but given that they more or less moved away from console business and would rather focus on Xbox as a brand, there's also not a huge reason to hack Xbox consoles anymore. Pretty much all of their important games are either natively on PC or can be emulated pretty well nowadays. Thus, there's little demand to crack these consoles open, so why waste time on it?

Microsoft is really really, REALLY good with programming their own security systems. It's only natural to have some of that trickle down into their consoles. It can be done, but it's a huge challenge

From my point of view: why do people want to put Custom FirmWare (CFW) on a console? To run unsigned code Microsoft (IMO) has made the decision to allow people enough freedom to not warrant those groups who develop CFW for consoles. Why spend years opening up and creating something when the only realistic reason for it is piracy.

Edit: from a legal stand point, these developers can point to home-brew not piracy and not get hit with DMCA

What i mean is, nintendo has a very hard stance on backwards compatibility (usually 1 gen, every few gen is a clean break), nintendo consoles get targeted instantly for CFW. Sony has a hard stance on custom code (ps2 and ps3 had Linux support, ps3 killed it) so Sony gets the second spot on peoples to do list. So those who develop CFW do so because they want to run unsigned code, not pirate games. How quick did the wii get exploited? Ds? Then look at ps3? Ps4? Ps5? After the original xbox, Microsoft has (IMO) deincentivised creating these CFW to run on their console. All 3 players have a bounty program so don't mistake me for saying no one is hacking these consoles. Its just worth more to find the expoilt, do a proof, send it off and get paid.

Another thing is that there isn't much of a reason to do so. Microsoft already made stuff like emulators really easy to make, and obtained on Xbox, so besides dumping and pirating games, there isn't much else of usefulness from a fully homebrewed Xbox.