how does CommandResponderEvent getSecurityName() work?

In the command object the raw message information is hold. That means, if the PDU is a ScopedPDU, then command.getSecurityName() will return the SNMPv3 security name. In any other (currently implemented case), it will contain the SNMPv1 or v2c community.
If you are interested in the finally mapped security name for the SNMPv3 VACM, then use the security name from the provided CoexistenceInfo parameter cinfo:

OctetString vacmSecurityName = cinfo.getSecurityName();