I agree that both are security boundaries in theory. But a minimal hypervisor is much stronger than a cgroup container. Cgroup containers are a thin door made of wood, VMs a vault door made of steel. So people saying "containers are no security boundary" are exaggerating a bit, but not much.
A minimal VM, like firecracker has a small attack surface, so I'm willing to trust that privilege escalation/VM escapes will be rare.
A process restricted by cgroup/namespace/etc. still has access to the huge API surface exposed by the kernel, so privilege escalation is common, and I'm unwilling to trust this mechanism to isolate malicious code.
I agree that they're not very good ones, but a container escape would be treated by everyone the same way a VM escape would be: instant patching, coordinated/embargoed disclosure, AWS finding out before you do, et c.
They didn't start out at the design phase that way, but they absolutely are today.
Of course VMs escapes exist. But many of the vulnerabilities are in functionality which aren't relevant for modern servers. Hardware virtualization support prevents many attacks. For example firecracker supports little more than network, block-storage and vsocks, which keeps the attack surface small.
A minimal VM, like firecracker has a small attack surface, so I'm willing to trust that privilege escalation/VM escapes will be rare.
A process restricted by cgroup/namespace/etc. still has access to the huge API surface exposed by the kernel, so privilege escalation is common, and I'm unwilling to trust this mechanism to isolate malicious code.