A virtual desktop deployment should have an integrated and highly available access control system. IT should also be able to reduce the attack surface by proxying the desktops from the users.
Citrix wins this round with the Citrix Application Delivery Controller (ADC), which is bundled into many offerings from Citrix. Citrix ADC is highly available with multiple deployment options, and it has many access control options. IT can use Citrix ADC as a proxy between users and the back-end resources.
Citrix also gains a couple more points with support for GeoIP, BadIP, DoS Protection and TLS 1.3 -- unlike VMware's Unified Access Gateway 3.7 -- to help further reduce the attack surface. Citrix Intelligent Traffic Management is another layer in the Citrix deployment that doesn't exist within VMware, which helps globally protect DNS records from many different attacks.
VMware has partnerships with F5 Networks, and its NSX product line has some load-balancing abilities, but it isn't as full-featured as Citrix ADC.