[asterius]

There is no particular reason to expect that qemu has any greater security that vbox. All of these systems have a significant amount of very critical code; I particularly sceptical of the hardware emulation part.

AWS recently started moving from a custom Xen to a custom KVM, but it doesn't seem it was for security reasons. Xen certainly is heavily used by public cloud providers.

[bonzini]

QEMU is huge, but you choose what parts to use. If you stick to the defaults, e.g. your VM has one or more virtio devices, a virtual USB3 controller and USB tablet, maybe an IDE/AHCI controller and an e1000 or rtl8139 NIC, it should be pretty okay.

Because of its use with KVM, QEMU has had its code scrutinized quite closely in the last few years. There are some device models that have a pretty bad track record, such as Cirrus VGA, but they are not the default anymore and there's no reason why you should use them.