Theoretically, they have a smaller attack surface. The programs inside the VM can't interact directly with the host kernel.