Usually the VM offers a high security standard, it is quite difficult for a malware can break the isolation by running malicious code on the host system (if you don't enable the shared folders and "drag and drops" like said above).
It is true that some specific vulnerabilities could allow this, but:
1) Generally these vulnerabilities are fixed in a fast enough way.
2) A malware that can exploit unpatched vulnerabilities, has to be designed just for this specific purpose.... objectively very difficult.
Of course, who is testing malware, he is playing with fire, and the risk exist, nothing is 100% safe in this context, but in my experience no malware has escaped my VM.