The short answer: the AV on the host machine, doesn't protect the guest machine (VM).
As for Ubuntu security vs XP security: yes, it is true that there are less viruses written for linux, and there are less known exploits and attacks against linux. This doesn't mean linux is completely safe, but it is way safer than XP.
What every answer has missed so far is that there are more attack vectors than just network connections and file sharing, but with all the other parts of a virtual machine - especially in regards to virtualizing hardware. A good example of this is shown below (ref. 2) where a guest OS can break out of the VMware container using the emulated virtual COM port.
Another attack vector, commonly included and sometimes enabled by default, on almost all modern processors, is x86 virtualization. While you can argue that having networking enabled on a VM is the biggest security risk (and indeed, it is a risk that must be considered), this only stops viruses from being transmitted how they are transmitted on every other computer - over a network. This is what your anti-virus and firewall software is used for. That being said...
There have been outbreaks of viruses which can actually "break out" of virtual machines, which has been documented in the past (see references 1 and 2 below for details/examples). While an arguable solution is to disable x86 virtualization (and take the performance hit running the virtual machine), any modern (decent) anti-virus software should be able to protect you from these viruses within limited reason. Even DEP will provide protection to a certain extent, but nothing more then when the virus would be executed on your actual OS (and not in a VM). Again, noting the references below, there are many other ways malware can break out of a virtual machine aside from network adapters or instruction virtualization/translation (e.g. virtual COM ports, or other emulated hardware drivers).
Even more recently is the addition of I/O MMU Virtualization to most new processors, which allows DMA. It does not take a computer scientist to see the risk of allowing a virtual machine with a virus direct memory and hardware access, in addition to being able to run code directly on the CPU.
I present this answer simply because all of the other ones allude you to believe that you just need to protect yourself from files, but allowing virus code to directly run on your processor is a much bigger risk in my opinion. Some motherboards disable these features by default, but some don't. The best way to mitigate these risks is to disable virtualization unless you actually need it. If you aren't sure if you need it or not, disable it.
While it is true that some viruses can target vulnerabilities in your virtual machine software, the severity of these threats is drastically increased when you take into account processor or hardware virtualization, especially those that require additional host-side emulation.
How to recover virtualized x86 instructions by Themida (Zhenxiang Jim Wang, Microsoft)
Escaping VMware Workstation through COM1 (Kostya Kortchinsky, Google Security Team)
Best Answer
There seems to be some misconceptions about NAT and bridge connections in VM environments. These do not allow your host to be infected. A VM operating system will have no access whatsoever to the host operating system and will be completely unaware it is operating as a Client Virtual Machine. Software running inside that operating system will be even less wise about it.
It is through direct relationships between the client and the host machine that may exist a chance of getting infected. This happens if you allow the client and the host to share folders. The largest chunk of VMware (to name one popular product) vulnerabilities of note ever found have been directly or indirectly tagged to this feature. A complete isolation is achieved by turning off shared folders. Any other vulnerability has been discovered on the Host side when vulnerabilities on the VM engine itself would allow a potential attacker to hook up through the host machine and gain access to any clients, or run code of their own.
Security issues may indeed be more involving if one is running a large VM structure such as those proposed through VMware Server topologies. But if running single-computer VMware Workstation solutions, there is no security issue under NAT or Bridge connections. You are safe as long as you don't use shared folders.
EDIT: To be clear, when I speak of NAT or Bridge connections I'm speaking only of the VM ability to share the host network connection with its clients. This does not give the client any access to the host and it remains entirely isolated, provided functionality like VM Shared Folders is turned off. Naturally, if instead the user decides to network Host and Client, then said user explicitly decided to connect both machines, and with it wave intrinsic VM security. This then becomes no different from any other private network environment and the same securities issues and concerns need to be addressed.