Jails. Recently I have configured a dedicated server to run nginx + php-fpm in jail: an entire jail consists of two static executable files, a few config files, and a few logs. There's nothing to pwn there, even if there's unpatched stack vulnerability somewhere. Jails are a very impressive security feature of FreeBSD.
My trepidation with LXC would be from a documentation POV... Jails are very much known quantities, while LXC is newer, not known for great docs, and thus is probably easier to screw up.
