As I already explained in different places, what matters is the hypervisor, kernel, OVS and such important packages. We can still backport security fixes ourselves on various packages inside the OS.
XCP-ng is only partially based on CentOS, only using non-critical CentOS packages (NOT the kernel, NOT Xen, NOT OVS, SMAPI/XAPI aren't packaged in CentOS etc.).
XCP-ng is NOT your regular distro, it's an appliance where we backport relevant security fixes.
Be sure that next major version won't even have SSH access enabled by default.