Even if we accept the premise, I'd rather use software that contains hard-to-find bugs than easy-to-find bugs, all other things being equal.

In my experience of casual usage VMware is less buggy in general (no random crashes, etc.), and that usually translates into fewer security bugs too.

But if your adversary is spending $$$$$ on vulns to throw at you, you can probably assume they can vm-escape either one.

It’s really not harder for the folks with this skill set, and plenty of these vulnerabilities have been found in VMware too over the years.

https://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY...

https://www.darkreading.com/vulnerabilities-threats/vmware-z...

https://cloud.google.com/blog/topics/threat-intelligence/vmw...

It is always harder, because it always take more time. We don't know the ratio (how many bugs more would have been found if VMware would be open source)

We can agree to disagree. I just don’t think it’s the high order bit in determining the rate of vulnerability discovery - in my opinion the commercial utility (white / black / grey) of the exploits is a more important factor in determining how quickly they are found.