I believe the argument goes that Xen hypervisor bare-betal virtualization is a much smaller attack surface than a hypervisor hosted by an operating system reliant upon constant administrative patching and hardening.