As for every part of your whole Setup, the principle remains the same.

If every Plugin, Theme, Drop-In, ChildTheme, Core, whatever Code you use is secure if coded properly

On the other hand, every code on your site can add to the vulnerability of the site.

Keep everything up to date

This should go without saying, but it is important to your security that you run the latest versions available.

What is a Drop-In?

From your question I suppose that you are confused as to what a Drop-In actually is.

Drop-Ins are used to alter Core WordPress files.

As you know, hacking the Core directly is a bad bad idea. In some cases however, you may want to alter the way WordPress talks to your database, and use your own db.php. You can define this class in a file also named db.php, and place it in your WP_CONTENT_DIR directly (not the Plugin or Theme folder).

If the core WordPress function is available to be altered by a DropIn (not every file has this capability), it will be replaced by your custom file, in our case db.php, and is now called a DropIn.

The advantage is obvious – if you update the core, your changes are not lost.

Notice: If you want to get a list of all the available DropIns (if you use multisite, you get a different result), create a small Plugin which contains the following code. I just dump the result, be sure to handle the output the way it should be.

/**
 * Plugin Name: Dropin
 */
function f711_print_dropins() {
    print_r( _get_dropins() );
    return;
}
add_action( 'admin_init', 'f711_print_dropins' );