Access control and auditing in the virtual environment is much the same as in the physical environment. First, the logging requirements and solutions are very similar. Second, if you have VM's that require different levels of physical access control then you need to have physically separate VM server farms to address this.
"And many say VM software out of the box won't suffice for security". That's true for just about every complex piece of software in the corporate environment - you need to lock it down to your companies specifications and there are many tools (some free) to help you do this with VMware's products.
"VMware's VirtualCenter management won't prevent VM sprawl because VM ID numbers can be changed and re-set" If your company doesn't manage server sprawl well in the physical environment then don't expect it to get better in the virtual world. Fortunately the same discipline and many of the same procedures apply to the virtual server world to limit sprawl. It would be nice to guarantee an ID to each VM, but then again we had the same issue tagging physical servers...
As for Netflow, I would love to see that functionality programmed into virtual switches. However, with many VMware farms (but not all) the network traffic eventually hits the physical network and that's where you do the network statistic gathering. Otherwise you need to use software agents on the VM's to get network stats which is not ideal.