Here are my two cents...
I don't think the threat level would have changed. The attack surface size is still the same and the avenues of attack is still the same. An analogy I would make is that the size of balloon (attack surface of the VMs) is still the same and the risk of the balloon getting hit by darts (malware) is still the same. The amount of risk is relative to the attack surface size and the available attack vectors.
As for Spectre and Meltdown, these are new vulnerabilities and it still has to enter the XP system in some way; either through network (internet or intranet) or through a USB storage attached to the VM.
If I understand correctly, the risk of Spectre and Meltdown is more of the malware jumping out of the VM. It is hard to see how this can be a generic attack (maybe I am not smart enough). Another analogy would be a fish could decide to jump out of the aquarium but it would have no idea what the world is like beyond the water tank. Or a movie plot analogy would be when Neo got unplugged from the Matrix for the very first time and he nearly died doing so. So I would think any Spectre/Meltdown malware would also have to be a very targeted attack.