ioFTPD doesn't support regular expressions for path matching. It supports unix-style command line path matching where * matches anything or nothing, ? matches any single character, and [] and [^] match any single character in or not in the group. This explains why the [VFS] rules aren't doing anything for you
Let's use your example of: /Section/2014/2014-01/0101/subdirectory
I'd just stick with the default VFS rules for /*. I'd suggest you do something like.
site chown ioFTPD:ioftpd /
site chmod 755 /
site chown ioFTPD:ioftpd /Section
site chmod 777 /Section (or perhaps 775 in some cases).
The root dir (/) tends to get stuff uploaded to it when scripts freak out so I like it read-only most of the time.
NOTE: You don't want to use -R to recursively set perms/ownership, but you might want to use * from within a dir to do all immediate subdirs.
NOTE: M flagged users are the only one who don't have ANY perm checks applied to them when dealing with filesystem perms (rwx stuff). V flagged users can SEE everything but if they attempt to do something directly requiring write permissions it will be denied. This is a safety feature. They of course have the ability to use chmod to make whatever they need to do writable and THEN delete it but it's a 2 step process on purpose. Most of the time this isn't an issue since they'll just use 'site wipe' to delete stuff anyway and the idea was site wipe would protect you from doing things you shouldn't be doing without realizing it.
NOTE: When you create a directory from inside the FTP it inherits the permissions of it's PARENT dir. Thus if you manually create /Section/2014/2014-01/0101/subdirectory the new sub will have the same perms (rwx's) as 0101. This is important if you have a /Games dir with games getting put directly into it because it must be 777 for regular users to create dirs in it! It's up to scripts (say nxTools newdate feature) to do whatever it wants if it creates a dir itself.
So here's the tradeoff you need to think about at the moment. None of the new-day scripts are really good about handling a server that is offline when the newday event should run especially if it's missed more than the most recent. Thus it's sometimes necessary to manually create dated or even a monthly dir. In that case it's easy to forget to +777 the dir if you were using 775 on it's parent, so I'd just go with 777 everywhere but root...
Now back to your original problem, if you want to protect uploads to dated dirs try these rules:
MakeDir = /Section/[0-9][0-9][0-9][0-9]/[0-9][0-9][0-9][0-9]-[0-9][0-9]/[0-9][0-9][0-9][0-9]/* 31VM
MakeDir = /Section/[0-9][0-9][0-9][0-9]/[0-9][0-9][0-9][0-9]-[0-9][0-9]/[0-9][0-9][0-9][0-9]/ 1VM
MakeDir = /Section/[0-9][0-9][0-9][0-9]/[0-9][0-9][0-9][0-9]-[0-9][0-9]/ 1VM
MakeDir = /Section/[0-9][0-9][0-9][0-9]/ 1VM
MakeDir = /Section/* VM
I think that should work. The trailing / should mean it must be a dir that exactly matches, whereas a trailing /* means any path which matches at least that far.
That only leaves the subdir of the last dir problem. You can sometimes use a zipscript like ioNiNJA to only allows certain dirs to be created in certain sections. Where that makes sense I'd use it. Or you could try another rule before the others like:
MakeDir = /Section/[0-9][0-9][0-9][0-9]/[0-9][0-9][0-9][0-9]-[0-9][0-9]/[0-9][0-9][0-9][0-9]/*/* !*
which should prevent subdirs of the dirs in the dated tree...
Let me know if this works for you and/or makes sense