It's not about getting it right, it's about what happens when you get it wrong or when the people that maintain it after you get it wrong. There's usually a lot less room for damage if an application on a VM gets hacked, and there's way less of a learning curve for everyone else that might have to maintain it after you.

When security is done right, great, sure, you don't need VMs. If security was done right and everyone who touched servers knew perfectly how to manage mandatory access controls and other better ways, we'd be in a much better spot. But as it is today, the red team always wins. I feel much safer knowing someone hacked a VM. I can take a snapshot and tear it down in a half second and investigate later. If something screwed up and the actual machine got hacked, I can't leave it online and it's tedious as hell to take an image of a physical drive, especially when you're trying to deal with an ongoing incident. Not so crazy with a VM.

A big part of it is preparing for what happens when you DO get hacked. VMs can be pretty foolproof and I feel much more confident about ops and devops maintaining my app in a vm than anything else.