Will virtualizing a server mean another OS layer to patch and update, more work and greater risk?

view story

http://serverfault.com – I've done a search and have not found anything addressing issues regarding patching and system updates. I've got guidelines that say servers need to have necessary patches. If I have a VM host then is that an extra layer to patch and update - even with bare metal hypervisors? As opposed to having a metal server? (ie more work and testing and documentation as per my guidelines). How often do type 1/bare-metal hyper-visors get updated? Does that matter? Does the fact that it is an extra software layer introduce more complexity and risk (security & reliability)? (eg 99% bug free software x (HowTos)