Leaving a safe HTML element off a whitelist is not so serious; it simply means that that feature will not be included post-sanitation.
On the other hand, if an unsafe element is left off a blacklist, then the vulnerability will not be sanitized out of the HTML output.
An out-of-date blacklist can therefore be dangerous if new, unsafe features have been introduced to the HTML Standard.
[1] In PHP, HTML sanitization can be performed using the strip_tags() function at the risk of removing all textual content following an unclosed less-than symbol or angle bracket.
[7] In JavaScript there are "JS-only" sanitizers for the back end, and browser-based[8] implementations that use browser's own Document Object Model (DOM) parser to parse the HTML (for better performance).