We run SELinux on all our docker hosts and are about to roll out GRSecurty as well, at present this is one of the best lines of defence you have against running code so close to root.
It's not quite that simple, an insecure or vulnerable hypervisor can actually make it easier to exploit a system. (Note: I'm not suggesting that running Docker as PID1 or similar is a good idea)
I think it's fair to say that it's easier to secure a hypervisor than it is to secure a Docker daemon. Lord knows we've had a lot more experience securing hypervisors.
