You’re dead right about physical access. If you can’t control that, your security is worthless. Most companies with mature IT processes understand that the rooms that store servers are not also office spaces. When that simple concept is alien to a company, the area becomes “high traffic” and is then impossible to secure.

However, if someone can remotely gain access to hypervisor via the virutal server session, “hyperjacking” (I love new technobabble), you have trouble in spades.

But #3? If hackers are getting to your actual servers, you have a bigger problem than virtualization. That’s like saying it’s the goalie’s fault for letting a guy score after he’s taken the ball all the way from his own penalty box and dribbled past every other player on the team.

For example, I can think of at least one instance I’ve seen in a major corporation where half the company had physical access to racks and racks of servers that supported mission critical applications. Vulnerability to hackers wasn’t nearly as big of a threat as the possibility of someone turning a machine off (which happened).