Xen itself is a microkernel. The list of vulnerabilities you've linked has a very limited scope not accounting for most vulnerabilities impacting QubesOS users. It also isn't a complete list for that limited scope. However, what you've linked shows the benefit of a microkernel-based design and why it would be best to have it beyond a hypervisor but rather inside of the virtual machines too. The vulnerabilities impacting the kernel and applications within the virtual machines are still very relevant to QubesOS users. QubesOS protects well against an attacker escaping from a virtual machine, but does not protect against an attacker exploiting the OS or applications within the virtual machines.

An attacker can do cross-guest exploits via the network too, which would not be considered within the scope of that list. As an example, if an attacker could exploit the network VM via a Linux kernel TCP/IP vulnerability, then exploit connected virtual machines from there with the same vulnerability. Network driver vulnerabilities are another way to get that initial foothold. It wouldn't be a hole in the architecture implemented by QubesOS but it would still give them control over everything that matters to the user.