Re: not sure about enterprise but
True they all have them from time to time but Xen lately has been a leaking like a sieve.
Actually, this is not really true. If you look http://www.cvedetails.com/vendor/6276/XEN.html (which does not yet include those 4 CVEs/XSAs, you notice that in 2016 (assuming the rate of discovery stays similar to the 9 months before), the number of CVEs/XSAs for Xen which includes QEMU and Linux vulnerabilities in supported Xen configurations is actually slowing, despite more people looking for vulnerabilities. Contrast that with the Linux Kernel and QEMU vulnerabilities, both parts of KVM (see http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 & http://www.cvedetails.com/product/12657/Qemu-Qemu.html?vendor_id=7506) where the rate of vulnerabilities discovered is actually increasing steadily.
However, I can see why the impression of more Xen vulnerabilities is created: the difference is simply that each Xen vulnerability is covered in the tech media, while Linux, QEMU or KVM vulnerabilities are rarely covered (often they are only covered if there is a Xen angle). A simple google news search for "<hypervisor insert Xen/QEMU/KVM/...> vulnerability" clearly shows the difference in how issues are reported.