NCM performs a "diff" only based on the text (syntax) of 2 versions of the same config, but does not really "understands" the nature of the change or predict its effects.
It just tells you: this line is different / added / removed compared to this one. The reader is in charge of understanding what the impact of the change is. Also, this "diff" is performed on all lines of the config, whatever its nature.
FSM performs an analysis only on the security rules of the config (granted this is most of what a firewall does)
The FSM "diff" function understands the impact of the change. It can tell you that by removing this ACL or changing its parameter, the traffic will now flow differently or not flow at all. It can understand that this change creates a security issue (or not) and flag it in a security report. It can understands that this change, combined with 5 other ACL's that are elsewhere in the config and unchanged, creates now a compliance violation and flags it in a report.
Here is an example of the "understanding" of a security issue, that illustrates the difference between a "semantic" and "syntactic" understanding of a change.
