Since local users open a security hole into your mail server, I would argue that virtual users
Can you elaborate on that? I would argue exactly the oposite. Having your virtual users in a 3rd party environment, adds only security exploits of that 3rd party environment.
I guess most run dovecot with mysql? So how many issues have been found in mysql compared to linux os user accounts. Linux is designed as multi user environment and most other 3rd party software not.
Most secure IS running with linux user accounts, you can even enhance this security with selinux. How are you ever going to realize this in something like mysql? If something goes wrong there everything under the mysql uid is accessible. Thus all accounts.
*is* keeping it simple, also, if you end up with many users in the future you will need to got to a database of some sort anyway, whether SQL-like or LDAP like,