Illusion of security
The reason you don't hear about KVM vulnerabilities is there's no good way to hear about them. They're usually not announced anywhere publicly. Xen, on the other hand, have an official process whereby you can get e-mail notifications as soon as the vulnerability is discovered and fixed; and if you're a public cloud provider, you can get notification two weeks beforehand, so you can patch your systems before the world knows about it.
So if what you want is the illusion of security, because you just don't hear about the bugs, by all means go with KVM. But if what you want is to be able to actually fix your bugs as soon as possible, go with Xen.