Like everything in security, it's about tradeoffs.
> Also, maybe, this means you're not running a single app per vm?
This is an argument for unikernels.
Instead, on 99.9% of your services you want to run multiple independent processes, especially in a datacenter environment: your service, web server, sshd, logging forwarder, monitoring daemon, dhcp client, NTP client, backup service.
Often some additional "bigcorp" services like HIDS, credential provider, asset management, power management, deployment tools.
> there shouldn't be any dogma around this
Like everything in security, it's about tradeoffs.
> Also, maybe, this means you're not running a single app per vm?
This is an argument for unikernels.
Instead, on 99.9% of your services you want to run multiple independent processes, especially in a datacenter environment: your service, web server, sshd, logging forwarder, monitoring daemon, dhcp client, NTP client, backup service.
Often some additional "bigcorp" services like HIDS, credential provider, asset management, power management, deployment tools.