But if there are security holes in Virtualbox, wouldn’t they be exploitable by any OS, regardless of what language it was written in?

Yes. The relevance depends on how likely you are to run a virtualbox image you found on the Internet because somebody told you "run this image".

The idea of a VM is that it provides an iron box which nothing can break out of, because it's completely invisible. There's nothing a guest can do which could possibly distinguish a VM session from running on the bare hardware. Partly this is for compatibility, partly for ease of development (develop the next VM as a guest in the current VM!), and partly for simple security: You can't escape a prison if you are utterly convinced you're already out.

Maybe that part of the theory never made it into practice.

Yeah. Welcome to practice: I type "ifconfig | grep vio" and if it comes back nonblank, I know I'm running in virtualbox.

OK. Is anyone working on x86 VMs which do try to be completely invisible to guests?

That was probably abandoned because it was not performant.

The idea of a VM is that it provides an iron box which nothing can break out of, because it's completely invisible. There's nothing a guest can do which could possibly distinguish a VM session from running on the bare hardware. Partly this is for compatibility, partly for ease of development (develop the next VM as a guest in the current VM!), and partly for simple security: You can't escape a prison if you are utterly convinced you're already out.

Maybe that part of the theory never made it into practice.