In practice it's a rather thin attack surface and serious cloud providers rely on it so it's both well-tested and any exploit can be used on much more valuable targets than your OS.
It's not a panacea. There are physical threats, there are threats from the very hardware you're using. But, like it says on the box, it is a reasonably secure operating system.
Yes, Qubes is only as secure as Xen which, itself, has had some pretty big security flaws pop up [1].
At the end of the day one has to decide what kind of trade offs they are willing to make in order to balance simple UX and security.
For Qubes 4, they are planning to deprecate the Xen paravirtual drivers in favor of the HVM drivers. These drivers are much more battle-tested and less complicated than PV drivers.
Also, with their recent foray into enterprise support, they will hopefully be able to expand their auditing efforts in the next couple of years.
And, in turn, as secure as the hardware, with ROWHAMMER giving means to flipping bits in arbitrary memory locations, including recent work showing that one VM can flip bits in another.
It's not a panacea. There are physical threats, there are threats from the very hardware you're using. But, like it says on the box, it is a reasonably secure operating system.