This is not so simple. Qubes implements security through isolation. Dom0 has not Internet access, so you can only have a backdoor in VMs. Some VMs also have no Internet access, so they're safe. Others are reset every reboot. In addition, all VMs can rely on different Linux distributions (Arch, Debian, Fedora etc.). I think Qubes provides a good defense against such attacks.
Upd:
> I've never heard of Qubes doing significant in-distro kernel hardening
Qubes OS v4+ does not use typical software virtualization methods. VT-d hardware virtualization it uses was broken only once, and it was done by the Qubes founder: https://en.wikipedia.org/wiki/Blue_Pill_(software)
