X11 was in development for nearly 40 years and only stopped developing because everyone asked to touch this codebase runs away screaming.
Protocols never stop developing, they are constantly adapting on the needs of the time via protocol extensions and this won't stop any time soon.

If Wayland "does not work", then what is Xorg? A possible way to torture people or what?

Not really similar. The one in Wayland is really hard to reproduce. You need a lot of time and resources (hundreds GB of RAM). Even then you'd probably also need some handcrafted Wayland because otherwise you'd most likely hit limits in other places. And even even then – I don't think it leads to privilege escalation, but I'm not 100% sure here.
Nobody really uses Weston. Most major desktop environments use their own protocol implementation and at least some of them have color management handled with colord hacks. It's not ideal, but to be fair – it's not ideal in X11 either.

I had to smile at this CVE, because only recently somebody here was trying to tell us that root-privileged X11 was a security feature. xD

Wayland is arguably more mature than Xorg: developers were able to learn from the mistakes in Xorg, which couldn't be done in Xorg itself due to being constrained by backwards compatibility.

KWin does not use the Qt Wayland implementation, it also has its own.

The idea that new code has more bugs than mature code is well known. While I have seen charts showing fewer bugs found in old code versus bugs found in new code, I do not have any links on hand to provide. Just ask various experienced developers and you will hear the same from many more people than just me.

That said, any project to write a replacement for a mature codebase from scratch will have more bugs than its mature predecessor until it matures itself. That is a fact of life.

I am pretty sure that X.org trolls won't disappear in my potential lifetime, 40-50 years into the future. Wayland is ready, NOW, to be used by 99% of Linux desktop users for all their needs. Perhaps a feature or two are still missing, boo-hoo. It is still usable for most. Let the corpse of X11 to die already.

I'm sure that's true in many cases, but as a general rule, I don't think you can claim that. It really depends on a lot of circumstances.
e.g. you might be able to avoid a big amount of bugs by starting with an improved design. You might do more unit testing. Or use a language that reduces the number of bugs by design.

Also, you might fall into the trap of assuming there are fewer bugs because nobody is looking for them.
Take KDE as an example. KDE 3.5 is pretty mature, right? Even at the time, it was considered relatively low on bugs and quite stable. So now that it has "matured" as Trinity, it should be very low on bugs?
Well, wrong. A couple of years ago a KDE dev looked into known bugs of KDE Plasma and KDE applications and checked whether Trinity is affected and as it turned out this was the case numerous times. There just wasn't anybody looking for these, since nobody, apart from a few stubborn people, is using the thing.

With X11, this is only partly the case. Of course there are many many users out there running X11. But on the other hand, there aren't really that many developers working on it, so less people studying the code.

Thanks for correction!
I've fixed the original comment.

No, this is not actually a "law" or "rule. Yes, code needs review, testing, bug fixing, but it is not like it is a law of nature that old code has less bugs than new code. If a new project written from scratch uses better practices, made by better people, better organized, with better tools and languages, on better hardware, etc etc, it can have fewer bugs even when brand new. You can't know for sure these things. And old code, no matter how mature, doesn't mean it is polished just because bugs aren't being reported. X11 is full of holes that were inside the code for ages, they just got discovered (or disclosed) now. Same with hardware bugs like Meltdown, they existed for ages until someone noticed them and disclosed them to the public, before that, everyone thought those old "mature" cpus were without such bugs....