Though I don't have any IBM technotes to go along with it, I can at least throw in my two cents to agree that you are right on both counts.

For the first, I don't know that XPages has a particular upper bound: those names will increase with the structure of the app, so there's not a real max unless browsers or the server stack impose one. You could PROBABLY be fine with, say, 128, as long as you don't go too far with nested controls.

The second is even more cut-and-dried: "/.ibmxspres/" is not path traversal, nor would I expect it to be on any platform. I'm not sure why the firewall would flag a URL like that, really. Domino happens to use that to represent special directories on the server, but the URL itself doesn't include either "/./" or "/../", which would be the dangerous ones there. I'd expect them to worry more that it looks like it's accessing a hidden dotfile, but it's also not doing that.

Well I don't have a good answer for you...  I tweeted this so maybe some people smart then me will chime in.  If not then maybe try posting on StackOverFlow...

I'm NOT an admin but my first thought is these are pretty stupid rules.  The Barracuda Web Application Firewall should exist to protect and service web applications. IT infrastructure needs to support applications and business needs.  The business should not bend to support IT infrastructure.  No one will log into the website because it's protected by a Barracuda firewall.  They log in for the web applications.  

The first one I don't get as those are typically ID's I thought... not really parameters...  but I'm not an expert on it.  The id conversion is kinda annoying but when you repeat custom controls you can litterally use the same thing over and over again...  so it needs to do that to keep things unique. There probably is no maximum level that is safe.  You could have a custom control to represent a generic input box.  Then you could use that EVERYWHERE...  it could get really deep..  again - technically I don't know if there is a limit really...

And I understand the 2nd concern even less...  That appears to be as the Pennsylvania Dutch might say...  fricken dumb...  what don't they like?  a directory with a dot in it?  Every consumable open source project will likely have that in their folders to represent the version number.  I guess it's that ibmxspres starts with a dot?  so that's the /.ibmxspres thats the issue?  I guess I don't know why this is a thing at all.  / ./ is traversal as mentioned here:  http://www.iss.net/security_center/reference/vuln/HTTP_URL_dotpath.htm  but /.foldername is not.  Even that IBM document considers that low risk.  Another doc on Traversal is here:  http://en.wikipedia.org/wiki/Directory_traversal_attack  and nowhere is /.foldername mentioned as a path for an attack.

Just my 2 cents...