Hypervisors do not add security by themselves. But they make it possible to implement security by isolation cheaply.
Cheaply means: 1) preserving backward compatibility with apps & drivers, 2) with drastically reduced attack surface due to smaller APIs. (Note that the HVM hypercall API isn't very big. Mostly physical memory ops, vCPU ops, physdev stuff, evchans and sched-related stuff.[2])
[1] : https://twitter.com/rootkovska/status/843031083398692866