Can malware "cross" virtual machines?

This is MASSIVE overkill but fun alright
My analysis: You have singled out one threat vector and added as many layers of defense as you could come up with. I slightly disagree with your assessment:
If we are talking about the browser vector you'd need in the worst case (or best, depending on where you are standing)
1) a browser exploit that works without scripting (e.g. font or png vuln)
2) a VBox vulnerability that doesn't require root (e.g. buffer overflow in a virtual driver)
3) a Windows kernel vulnerability that renders Sandboxie, ShadowDefender and any other protection in the same ring useless. (e.g. VBox shell code from above drops that famous WMF file somewhere in the sandbox and opens with default sandboxed viewer -> exploit nr 3, payload installs MBR rootkit that will survive reboot.
If the VBox driver runs in kernel space you might only need two exploits.

I *think* this could work, maybe. All theoretically of course. But the point is, a kernel exploit can circumvent all other mechanisms that also live in kernelspace, at once.

However, apart from all that you are still vulnerable because there are thousand other attack vectors you might not even thought of, some examples ranked from probable to highly theoretical:
>poor tsl hashes, server compromise (nothing you can do about on your end),
>user error, MITM, social engineering, phishing...
>user level exploit inside the VM targeting your online credentials
>vulnerabilities in other software on the host
>severe bug in one of your applications accidentally deleting user data (I think that's "security" in a wider sense as well)
>evil maid attacks, very easy but requires physical access, TPM could protect against it
>backdoor in one of the OSs or installed apps
>TEMPEST and other side-channel attacks
>wifi/ethernet card vulnerability, instant root from remote, pretty scary but I don't think it works across different networks
>malicious firmware/"chips" preinstalled on the system, total ownage, almost no way to detect
>aliens reading your brainwaves from a few lightyears away, well, no comment, no wait: tin foil

Still feeling smug eh? Hope that leaves you a bit uneasy

What do I really want to say: Stay alert even if you think (and it probably is) that your current protection is bulletproof, it only covers specific issues you have thought of.
"Be prepared for the unexpected!"