The fact that VMWare works just means they used some tricks to make it practically virtualize some common OSes, not that it is no longer possible to write malicious software to run as user or privileged level inside the guest OS and have it escape the virtualization.
I spoke with someone who had evaluated the appropriateness of the VMWare internals for security sandboxing with respect to just this point. He seemed to believe that it is simply not possible for processes in the guest to escape the sandbox (perhaps, in light of the paper you cite, this signals inefficiencies in VMWare). Other people on this list were, I believe, involved in porting VMWare to be hosted under the BSD architecture and may be able to speak further about this. In any case, the broader point that has been made repeatedly is that even if the Pentium is not efficiently, securely virtualizable due to quirks in its instruction set, clearly there are architectures which are but which avoid the objectionable, user-hostile, aspects of the Pd scheme. n