Fine for single-purpose app deployments, but on a grander scale you've just pushed all the security problems back to the APIs and interfaces of your cloud provider and/or virtualization engine. Now an AWS access token constitutes a root password for everything (for example).
Access tokens are a 'manageable' risk and AWS provides tools to enforce best practices where necessary.
Locating and regularly patching security vulnerabilities across thousands of components in a fully-featured monolithic operating system isn't. It's a potential disaster waiting to happen.
You don't need...
...a huge bundle of drivers when the OS will always run on a VM.
...extensive filesystem support when everything will be either transient or run directly from memory.
...multiple users when only one is required.
...OS-level sandboxing (ie kernel/user-space) when the VM already provides sandboxing.
...native POSIX tools when 'safe' alternatives can be run from the VM.
Despite the best intentions of developers and admins alike, the current approach to security is not working. Despite my own vigilance, I have personally had my sensitive information leaked by two separate multi-billion dollar organizations in the past year.
It's a simple fact that every feature added, increases the attack surface of the entire system. All I'm suggesting, is that it's not a bad idea to start looking to the alternatives that are becoming available.
Bingo. the PCs of old were more secure in that they did only one thing at once. These days even the most barebones install have all manner of things running in the background, and any normal user setup is likely to add a dozen more.
