There is a lot of malware that can detect whether it is running inside
a VM or sandboxed environment and if such environment is detected it
can conceal it self and not execute. So why not make everything a VM?
Now all systems are safe!
There is a better reason than that to put things inside a VM. Basically, the process boundary is often exploited by finding bugs in the kernel. Placing every process inside a VM machine means the malware author needs to find a bug in the kernel and a bug in the VM to escape into another process. Products like HP's Sure Click do implement the security approach you've described.
I know not all malware does this but considering that there are many
cloud services these days that run on VMs in remote servers does that
mean that they are all immune to these types of malware?
Yeah, there's a company that does exactly that: Menlo Security. Products like Google Docs, yes are going to be less dangerous to the user's computer than a process that runs on a local computer. Mainly because the document could be run on google's server rather than your local machine. The main target (if the malware is trying to attack the user) is going to be finding a way to exploit the user's browser via the online document. Browsers, like Chrome etc, have plenty of zero-day vulnerabilities. But over time, I think the security of the browsers have increased a lot. So it's not trivial to find a vulnerability, but it's doable.
I am aware that not all cybersecurity threats involve malware but the
focus of this question is mainly on malware attacks.
Yeah these systems do significantly reduce the attack surface of a normal users activity. They haven't taken the market by storm (yet?). (There are lots of other security products that can soak up cash/security is just one of many considerations.)
There are performance considerations but they really aren't as significant (in a well engineered product) as people might expect. The products can use highly specialised cut-down vms, allowing a single machine to run many, many vms. Or a product can run multiple 'dangerous' processes in a single vm, like Hysolate. And these products can achieve near-native performance for most tasks. (The products can use a bunch of performance optimisations.)
I think some of the early creators of these solutions - like Bromium that HP bought - had some product issues that prevented the solution gaining more traction. Windows have introduced similar solutions, including Windows Defender Application Guard. Lots of very security conscious organisations like governments, big corporates etc, use virtualisation-based solutions already. In 2021, the use of these approaches is largely confined to some highly-security conscious organisations. (Excluding things like Google Docs that are mass-market for totally different reason.)