"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.
You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
Hypervisors do not add security by themselves. But they make it possible to implement security by isolation cheaply.
Cheaply means: 1) preserving backward compatibility with apps & drivers, 2) with drastically reduced attack surface due to smaller APIs. (Note that the HVM hypercall API isn't very big. Mostly physical memory ops, vCPU ops, physdev stuff, evchans and sched-related stuff.[2])
[1] : https://twitter.com/rootkovska/status/843031083398692866