No, a hacker can't 'steal your VM and gain complete access'. They'd need to hack into the VM management interface and if they end up there, your government department has much bigger issues.
Running both IIS and SQL on the same server is technically fine, but whether or not it's a good idea really depends on whether or not your load profile allows it.
If it's a small site, you're all good. I've seen lots of these one-offs run perfectly fine. Just make sure you have enough resouces (CPU, RAM and disk I/O) to let IIS and SQL perform well and limiting SQL to only a subset of the CPU/RAM might not be amiss so that it doesn't hog it all. Cause it will if you let it.
If it's a really big/busy site then you'll want to re-consider. Seeing as you're currently using MS Access, I can't possibly imagine that this is the case.
In terms of security concerns, it really comes down to how you want to manage the various pieces. If you intend to connect to the SQL instance from your desktop, then you've got to have port 1433 exposed and that means others can get in that way too. Unless your firewalls are setup in such a way that such connections could be allowed only from the internal zones. If you're happy RDPing into the server and doing it all locally, you just need to expose the IIS ports (80 and/or 443), which is no less secure than what you likely have now.
After re-reading the question and the comments, I see that you want to have one physical server. It will run IIS as well as VM for SQL.
That makes no sense. Either treat the server as a straight hypervisor and run both tiers in individual VMs, or run them both natively on the hardware. Mixing things is only going to lead to tears.