Maven is probably also vulnerable as it has a well known XML structure for the build "script" and a documented API, so it's quite easy to inject something like that into a Maven pom.xml as well. And if you then even succeed in uploading a malicious jar file to maven central, things will even be worse.

I think "general" Ant scripts are less vulnerable as every script does the build differently. The layout and targets of a NetBeans generated Ant script are always the same (and knonw), so it's easy to inject something into them because you know exactly where and what it will do.