XML is a well developed and adopted standard, making it easier to read and understand than proprietary configuration formats.

Also, it's worth understanding that XML serialization is a common tool available in most languages that makes saving object data extremely easy for developers. Why build your own way of saving a hierarchy of complex data when someone else has already done the work for you?

.NET: http://msdn.microsoft.com/en-us/library/system.xml.serialization.aspx

PHP: http://us.php.net/serialize

Python: http://docs.python.org/library/pickle.html

Java: http://java.sun.com/developer/technicalArticles/Programming/serialization/

Its because XML allows you to basically make your own semantic markup, which can be read by a parser built in virtually any language. An added benefit is that the configuration file written in XML can be used on projects where you are using two or more languages. IF you were to make a configuration file where everything was defined as variables for a specific language, it would only work in that language, obviously.

Well.., XML is a general-purpose specification that can hold descriptions, nested information and data about something. And there are many APIs and softwares that can parse it and read it.

So it's much easy to describe something in formal way that is known cross platforms and applications.

This is an important question.

Most alternatives (JSON, YAML, INI files) are easier to parse than XML.

Also, in languages like Python -- where everything is source -- it's easier to simply put your configuration in a clearly-labeled Python module.

Yet, some people will say that XML has some advantage over JSON or Python.

What's important about XML is that the "universality" of XML syntax doesn't really apply much when writing a configuration file that's specific to an application. Since portability of a configuration file doesn't matter, some Python folks write their configuration files in Python.

Edit

Security of a configuration file does not matter. The "configuring a Python program in Python is a security risk" argument seems to ignore the fact that Python is already installed and running as source. Why work up a complex hack in a configuration file when you have the source? Just hack the source.

I've heard folks say that "someone" could hack your app via the configuration file. Who's this "someone"? The sysadmin? The DBA? The developer? There aren't a lot of mysterious "someone"s with access to the configuration files.

And anyone who could hack up the Python configuration file for nefarious purposes could probably install keyloggers, fake certificates or other more serious threats.

Because XML sounds cool and enterprisey.

Edit: I didn't realize my answer was so vague, until a commenter requested the definition of enterprisey. Citing Wikipedia:

[...] the term "enterprisey" is intended to go beyond the concern of "overkill for smaller organizations", to imply the software is overly complex even for large organizations and simpler, proven solutions are available.

My point is that XML is a buzzword and as such is being overused. Despite other opinions, XML is not easy to parse (just look at libxml2, its gzipped source package is currently over 3MB). Due to the amount of redundancy it is also annoying to write by hand. For example, Wikipedia lists XML configuration as one of the reasons for the decrease of the popularity of jabberd in favor of other implementations.

One other point, if you have an XSD (schema file) to describe your configuration file, it is trivial for your application to validate the configuration file.