The security bug in lsof (in the debian bugs page) is related to NFS (network filesystem). In some situations, when the NFS disks are mounted with certain parameters, doesn't necessarily show all the open files from that filesystem.
The reason why this is thought as a security bug, is that lsof is used as a system analysis tool and it failing to give correct information is considered a security threat.
At a quick glance, the security things in the manpage seems to be related only on possibly revealing of too much information for a regular user about the system.
About the original issue.
inetd is a general purpose daemon that is listening all the ports that has services attached to them. When request for the port comes, it starts the program in question. This way all the (possibly rarely used) programs doesn't have to be in memory all the time.
See /etc/inetd.conf to examine the services.
In debian, you can also disable the vboxd from inetd with command
update-inetd --disable vboxd