It only makes sense that they wouldn't allow that to be manageable on client-side. After all, that's another security mechanism. However, one of the comments does make the good point that it can be managed server-side if you have an Apple SUS implemented. I think it would be great to be able to manage it server side a get granular instead of it being all or nothing.
It can be managed to the extent of turning off the updates for XProtect, but I don't recommend that.
Meanwhile, XProtect's blacklist currently defines an older version of Java 8's browser plug-in as being the minimum allowed version. So if you have something that needs Java 7's browser plug-in, you're going to have a problem right away after upgrading to El Capitan even if you have XProtect updates blocked otherwise.
Sweet. For those who are going to embark on this via Config Profiles, note that it's a custom payload. You'll probably want to think of a safe place to keep copies of plist "snippets" containing the keys you intend to manage (and nothing else), as you won't be able to easily update the payload to make simple edits.
This worked better via MCX in Casper 8 when you could specify 'array' as a key type and edit the text in-browser. I've complained quite a bit about that feature's removal, but I grow tired of tilting at that particular windmill...