It should be also clarified inside the company what types of patches for ESXi and vCenter should be installed in a mandatory way and what types can be skipped or let's say with low priority. 

But for sure security patches should be installed as a MUST