Good discussion by @riskybusiness and @metlstorm about Crowdstrike's report on VMware ESXi risks.
In my view the key risks with classic VMware data centre environments are similar to the risks with classic Active Directory, and backup systems - these are all core IT infrastructure for a lot of places, and there's as much legacy in the access control to these services as in the services themselves.

The Crowdstrike post (https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/) was quite good in their recommendations on what to do for vSphere environments - yes it needs to be patched, but start with tightening access to the control plane.