I'm not so sure about this. If an important userspace application, or actually any application, has been hacked, I consider the machine tainted for all future. I'm not going to patch the holes up and keep running, because any file could have been modified and finding out which ones is just much more work than to fire up a new clean machine. If you're running a webserver and it's broken, you have in fact a fully compromised system since the only thing running on that virtual machine is the webserver.
I can see many reasons not to run this OS, but the kernel/userspace separation is not necessarily the big deal.