Nesting quotes was likely turned off for performance reasons… you get a lot of nests and it ends up pegging the database pretty severely.
BBCode is a widely used standard for forums. It’s something that the forum software can parse and easily handle any mistakes (for example, by not closing tags). HTML, on the other hand, can be screwed up by users and result in a very badly rendered page. It’s much easier to turn off all HTML than to try to only turn off select parts of it.
Those aren’t dynamically fetched, though: it’s just hardcoded into the quoting post. Is it just because it makes the post that much longer? (And if that’s the issue, why not limit it to three levels, or something?)
I thought the [s] tag was standard BBCode… (It’s in Wikipedia’s list, at least.)
As for HTML, as far as I know, there isn’t any risk from the entities (which represent single characters), only the tags (with names enclosed in angle brackets). And every parser I’ve seen will explicitly prevent you from creating a tag from raw entities—they’ll just render as individual characters that look like a tag.