Don't mix attacks that are targeted against your own software - in case this attack is successful, both Tor and VPN would be useless. This is what the attacks against Tor users
generally mean, when you read about them in the news. Several attacks are carried in order to deanonimize and unmask users.
Also, don't mix the Tor browser, which is just a hardened fork of Firefox, with the Tor routing concept. If your Tor browser is attacked and the attacker managed to run code
on your device, both Tor and VPN will be useless - same as the case of getting infected with malware.
The chances of VPN server being compromised brings the question who your adversary is. A strong enough adversary will not need to gain access to the server at all - they
can use the beurocratic chain in order to pressure the ISP of the VPN server into logging whatever is needed. In most of this cases they will already know who the user is,
so in order to build the case they will need to gather more intelligence/evidence (depending on who the adversary is).
If you consider yourself being a target of something that is described above, Tor might be a temporary solution, because all people make mistakes.
The general rule is, if you are accessing content which is highly questionable in your country, using only a single VPN server is less advised.
For all other use-cases, such as browsing,file sharing and avoiding ISP blocks, VPN is the way to go.