I have signed up to the coinbase vault service but have yet to use it or read the fine print regarding the insurance.
I dont know about xapo but coinbase says they store all customers vaulted coins on paper wallets and usb cold storage in bank vaults around the world. So virus on customers computer should not be an agument with insurance. Employee security is still a concern but should not stop the payouts.
To deny insurance they must prove negligence on the customers part.
I would be all for a annual or quartly independent audit of all coin that should be accounted for in their vaults at anytime.