If networks are segregated correctly, another vector for malware to spread from one vm to another is though storage.
How can drive access between vms be restricted to prevent malware spreading from one vm to another vm, or from a vm to the host ?
Is it even possible to contain an infection to only the one affected vm in ESXI ?