I have seen this before but cannot easily find a reference now. Some starting points.
Increased attack surface is a good argument indeed. Specifically so when mixing different virtualizers as a user recently mixed VMware running on a Windows host, VM was running Debian which was then running VirtualBox.
KVM does not allow nested virtualization by default?
Security hardening guides recommend to and security hardened operating systems disable kernel module loading and kexec. The idea of Untrusted Root - improve Security by Restricting Root. But by allowing nested virtualization we allow (untrusted) root or even the user to run any kernel image and to influence which code interacts with the hypervisor directly? That are quite higher privileges and more low level than what (untrusted) root or user could do otherwise?