The /usr/local permissions are set by your linux distribution and not changed by ispconfig. So you should not change them.
Regarding vmail: The mail system uses maildrop that runs as user vmail and maildrop invokes external commands, so it needs a shell. See also:
libuuid is not from ISPConfig, so I dont know if you can change it or not.
Does mysql need to be listening on every interface if we are not planning a multiserver setup?
No. But then your customers are also not able to use tools like the mysql windows gui tools to manage their databases.
What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?
I use logwatch on my servers.