The virtualization system shouldn’t have a public IP, if it does you’re doing it wrong. You should have at least one interface that is connected only to the router/firewall VM (whether it is passed through to the VM, or the VM is the only thing on the virtual switch/bridge for that interface), and that interface is what connects to the ISP. At this point, since the router/firewall is the only device with a public IP, the security is identical to if you had a physical router/firewall appliance.
Most often the only downside to your router being virtualized is that you are now relying on that virtualization system, both hardware and software, to be reliable. Any issue with it, and your router is offline, which also makes it harder to search the internet for help getting it back up.