Virtualbox package is in contrib, and upstream refuses to give patches for security bugs.
Their attitude is to update to the latest version, something not feasible for stable
releases, specially when the minor releases of a particular major version are not
published anymore.
For this reason, virtualbox might not be covered by security.debian.org support,
nor by stable-proposed-updates in case the maintaining is impossible due to
lack of upstream support.