That's hypothetical security, of course. In a practical sense Xen has seen several major security vulnerabilities, such as Venom.
Not that other VM systems haven't suffered similar problems. But when real-world experience shows that, for example, Xen is no less vulnerable to the most damaging exploits than any other VM manager then the hypothetical security advantages evaporate away and it no longer becomes a useful justification for preferring Xen.
Venom was a vulnerability in Qemu, not Xen, which has a containment mechanism (stub domains) for this class of vulnerability. In addition, PV Linux VMs do not use Qemu, so were not vulnerable. Qubes contained Qemu in stub domains, so was not vulnerable, https://groups.google.com/forum/m/#!topic/qubes-users/uRg6gk...
Case in point: I received 12 hours of notice on a Sunday before my master database was rebooted to patch a Xen security flaw http://status.linode.com/incidents/2dyvn29ds5mz On the plus side, great Xen effort to to roll out fixes before it became a public zero day.
> not cool that your vm was promptly rebooted to apply fix
Not sure where you got the "not cool" part, I believe the parent post just said "this happened", not "it sucks that this happened", I could be wrong though
They rolled out the patch over two weeks time. The first fixes were after 12 hours, and could have likely waited at least 1 business day to give me proper notice.
Not that other VM systems haven't suffered similar problems. But when real-world experience shows that, for example, Xen is no less vulnerable to the most damaging exploits than any other VM manager then the hypothetical security advantages evaporate away and it no longer becomes a useful justification for preferring Xen.