Surely im not the only one who reads the security bulletins from VMware then determine how critical it is to the environment?
You are not. If you feel strongly about it, you should open up a support request to get the bulletins updated with more information. I have always gone back to CVE and looked up the issue there, then gone and found the actual attack description elsewhere. This way, I have done all my research. I would do that even if it was provided by the vendor as you then have corroboration on the CVE and its impact.
If you have a well segregated management environment the severity of this goes down significantly. BTW, we just covered the lowest hanging fruit of virtualization security on the Virtualization and Cloud Security Round Table Podcast on 4/20/17 (see below).
Edward L. Haletky aka Texiwill
VMware Communities User Moderator, VMware vExpert 2009-2017
Virtualization and Cloud Security Analyst: TVP Strategy
Blue Gears Blog: vSphere Upgrade Saga