Quoting "Douglas A. Tutty" <dtutty@porchlight.ca>:

quoted text
> Problem: in your analogy, there is some limit to the number of bad guys
> before they become obvious to local law-enforcement. In the computer
> case, best to consider the number of bad guys unlimited; you can only
> limit the _rate_ at which they try to attack via the net (physical
> security is back to the car analogy; how many datacentres do you need).
> 
> Answer to your question:
> 
> 4 cars, all dummies.
> 
> Dress the diplomats up as cleaning staff and send them via public
> transit.
> 
> This is where the analogy breaks down. The safety of the ambasidors
> relies on secrecy; if its blown, the bad guys will know which car the
> good guys are in and will blow it up. If it secrecy remains tight, they
> won't know your plans whatever they are. 
> 
> Doug.
>  

I would have thought this is further evidence of the analogy not being too bad.
 You are relying on secrecy - if that is blown, you're screwed across the board
- all four ambassadors.  So for virtualisation, you are relying on the separate
application domains being partitioned off from each other - and if that is
blown, you're screwed across the board again.  In both cases, the failure could
be malicious (bad guy tortures the maid for information / hacker gets into
system) or accidental (toxic leak on subway / some interaction between guest
process and host triggers previously undiscovered bug.)

But instead of going all James Bond-ish - I could have said is having all your
eggs in one basket more secure?