For an example, here's an Orange Book A1-class VMM by legend Paul Karger. He's one of inventors of INFOSEC, genius designer/coder, and high-assurance veteran. Look at the design and assurance sections (p9 onward) of it to see what... in 90's... was necessary to secure a VMM via minimal privilege (POLA), correctness arguments, backdoor prevention, and covert channel suppression. Nothing today in OSS even has this baseline despite us discovering more problems and solutions. Re-reading it now, I noticed they were even doing continuous integration on it well before that became a fad.
http://lukemuehlhauser.com/wp-content/uploads/Karger-et-al-A...
A modern example, one I cited on their mailing list, is INTEGRITY-178B. The features plus assurance activities are a nice illustration of high-assurance approach to microkernels for security or virtualization vs things like Xen. Quite a few things worth copying for security- or reliability-focused OSS projects. Approaches that got open-sourced from CompSci are in links below it.
http://www.ghs.com/products/safety_critical/integrity-do-178...
http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=9EE...
http://genode-labs.com/publications/nfeske-genode-fosdem-201...
Note: GenodeOS is a competitor that uses components like above with architecture designed to lower risk in TCB like in high-assurance. It's nice work. Fundamental architecture needs peer review, though, to ensure it has claimed properties.
Using a computer today requires interoperating with such a bewildering array of other systems. Just writing a web browser is a huge undertaking.
It's wrong to compare Qubes to academic microkernels that require applications written in a formal language. It should be compared to a general Linux/BSD distro or to Windows, because those are the systems it's competing for users with. In comparison to those, it's a much more solid platform for security.