Yes these slides do help answer this question. Perhaps the combination of MAC at the host level and virtualisation at the user level will work better than either in isolation, because this keeps the MAC policy much simpler (hence fewer human errors) with less need for local customisation, so more manageable than when using MAC in a shared login situation ? MAC in this scenario seems to protect against bugs in the virtualisation layer.
Saying that virtualisation is less secure than a previous scenario of separate hosts for different jobs seems obvious, but if the previous scenario is single host multiple logins (e.g. for shared webhosting) then virtualisation even with just different UIDs and DAC seems to offer better security than what existed before. I think this because this direction is how the hosting of my own websites has migrated, though I would expect my upstream VM provider to be looking at and implementing the kind of DAC solution as proposed in the slides.