Now, let me make a simple point about my perspective on the topic. Everything you’ve said is also true of VMs, and in most cases, doubly true. Furthermore, the main reason for my high level recommendation on VMs for security is the amount of DEFAULT isolation bare-metal virtualization provides; to quote the ITWorld article from below “containers do not contain.” If used in the same manner as containers, then there would be a much, much lower attack surface (like for like). Furthermore, the need perform a high level of customization and configuration to get a secure container only increases the likelihood that a mistake will be made. Based on the conversations I’ve had with Executives, this is a paramount concern. Efficiency is great, but security is mandatory.

All this being said, if someone would like to learn more about the subject, here are a few good articles:
ITWorld Article: http://bit.ly/2f8VvTO
InfoWorld: http://bit.ly/2f8S3IS

Also, there are way more pros when it comes to security from containerization dealing with segregated networks, not having to expose ports for services due to container links and more. CGroups can also be defined to mitigate noisy neighbor syndrome.

On top of that, most patches or security flaws could be fixed by simply rebuilding your image since they’ll normally include package update and install operations. I want to make sure people have all the information available on this subject before some upper level exec decides not to use containers since they saw that “VMs are better for security” on a post somewhere.