Well, one of every 10 XEN security holes affects Qubes OS, which happens about every two to three months.https://www.qubes-os.org/security/xsa/
The statistic looks bad when compared to OpenBSD,
which needs patches like once or twice per annum.
It looks good when compared to Linux distributions,
which have at least one remote / local root kernel exploit per month
and a couple of daemon exploits per week.
I'd also like to point out, that neither Snowdens NSA leak 2013 nor the CIA Vault7 leak 2017
contained anything related to Qubes or OpenBSD ... so both seem to be reasonably paranoid choices ;-)