I don't consider the lack of .xls in pandas worth a freeze exception,
but consider it reasonable for others to disagree with that.
As noted in the bug, there are some (possibly not-technically-valid)
.xlsx files that xlrd 1 can open but openpyxl can't - _pandas_ won't be
able to open those either way, but allowing other applications to do so
is still worth something.
There also may be applications that could switch to openpyxl but simply
haven't. I don't know how much effort switching is / whether it would
be reasonably possible for us to do it.
However, I wasn't aware of the security issues in xlrd 1 when I wrote
that, and they may well be a reason to go to xlrd 2 and accept this
breakage. Are they the long-standing "denial of service via excessive
XML entity expansion" or is there now (also) a risk of something worse?
