A properly secured SSH server still has a bigger attack surface than no SSH server and likewise a webserver+OS behind a WAF still has a bigger attack surface then a webserver without an OS.
I guess this is defining things from a purely pragmative "more code means a bigger attack surface" perspective. I know that's an oversimplification but there's also some truth to it.
But indeed; the Solaris OVM / LXC stuff spawning minimal OS's without administrative access gets you quite close (and with a more vetted codebase,) so in that regards unikernels are indeed still mainly an academic exercise.
I guess this is defining things from a purely pragmative "more code means a bigger attack surface" perspective. I know that's an oversimplification but there's also some truth to it.
But indeed; the Solaris OVM / LXC stuff spawning minimal OS's without administrative access gets you quite close (and with a more vetted codebase,) so in that regards unikernels are indeed still mainly an academic exercise.