To put things into perspective here: Security isn't something that can be "solved", it's a continuous process and an essential part of it is understanding risks and attack vectors, and of course, assessment and management of these risks.
What
Mjölnir describes here is the possible attack vector with any firewall in a VM. If this is the only one left, it is already pretty good, of course depending on what you compare with.
A business operating their own infrastructure will typically operate many physical machines anyways, so they would be crazy not to reduce the risk further by using a dedicated machine (most of the time a special-purpose appliance) for firewalling. But using separate physical cables is a different story; in a larger network, you WILL find some shared trunks transporting multiple VLANs, one of them being the management LAN. The additional cost for cabling often isn't considered justified; assuming VLANs are used and configured correctly, you'd need strange bugs in switch firmware to "intrude" (and then you'd still have to gain remote access on the actual firewall).
But then, look at a home or (very) small business scenario, with just one server. A dedicated firewall appliance might be over the top. So, do you want to use one of these consumer "plastic routers" for firewalling? I'd have my doubts there about the quality and maintenance of their firmware, and there sure have been problems in the past. Putting a firewall in a VM is IMHO the second best solution after "dedicated hardware", but you have to do it right. If you wire up your firewall on virtual networks provided by the host system, you're doing it wrong: the host's networking code would still handle all packages first, including those the firewall would block, so any remote vulnerability in networking code could lead to a breach of the whole physical machine. Using PCI-passthrough for all NICs, giving the firewall VM exclusive access to the hardware, is already a lot better.
What's left is indeed the risk an attacker could gain control of the host by breaking out of a jail or vm. Flaws in CPUs (hello intel) render this a bit more realistic. Still, to even attempt such an attack, you'd first have to get access to a jail or vm.
Well, just some context, and there are many more things to take into account for every decision regarding security – bottom line is, for firewalling, a dedicated machine is the best solution (but needs trusted and maintained software as well of course, see "plastic routers"), and if you can afford it, you should. Still, a VM can be a reasonable alternative…