> Why would long lived VMs be better if they're also using old versions of software?
It's more difficult to break out of a VM and take over the host, unless a container has a very strict seccomp policy that limits the exposed kernel surface area. The Linux kernel's high rate of feature churn has resulted in an endless parade of root exploits. Locking down a container takes effort as you risk breaking the application by removing access to fancy kernel features du jour. VMs have bugs, too, but it's a better situation, especially if the interface between guest and host is limited to a few virtio drivers. Firecracker, for example, takes this minimalist approach; relative to containers it's more of a "secure by default" situation as far as host protection goes, and unless the guest environment requires direct access to peripheral hardware, everything will still work as intended.
It's more difficult to break out of a VM and take over the host, unless a container has a very strict seccomp policy that limits the exposed kernel surface area. The Linux kernel's high rate of feature churn has resulted in an endless parade of root exploits. Locking down a container takes effort as you risk breaking the application by removing access to fancy kernel features du jour. VMs have bugs, too, but it's a better situation, especially if the interface between guest and host is limited to a few virtio drivers. Firecracker, for example, takes this minimalist approach; relative to containers it's more of a "secure by default" situation as far as host protection goes, and unless the guest environment requires direct access to peripheral hardware, everything will still work as intended.