Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access
To my knowledge they haven't been.
No. All servers receive Windows updates.
And I agree, this is odd. This, and so many other things, are being fixed one bite at a time.
Set your firewall to drop outbound traffic from servers that don't need Internet access. Point those servers to a local WSUS server for updates. Allow the WSUS server to get out to Internet. You can set local policy and point servers to WSUS, if they aren't domain joined. That way, servers can be updated but lower attack vector as they cannot get online.