Imagine you want to patch ESXi, and you are connected via VPN VM running in that same ESXi host. And we dont have like 300 servers, more like 1-2 server per site. so you understand how difficult it can become.
No, I still don't understand. You are talking about adding another server to accommodate the VPN. So you are talking purely about consolidation as a concern, which it is, and not at all about virtualization as a concern (which it is not.)
Agree. Makes no sense. Move the VPN VM to another host before updating the original.
What if you only have 1 enterprise grade server in one site ? and you can just purchase another 3000$ server cause you ran out of budget, but you can get the AM1 AMD platform for 300$ and make it VPN server
Many ways to crack it. For example, VPN in. Set your firewall to allow remote connections from your current external IP address (not great, but possible).
Do the work. You have the VPN for when it's up, and rule through firewall if it doesn't come back up. After patch finished, remove the firewall rule... Of course, i'd not personally do that, I'd have a second host for multiple reasons anyway...
But you don't need the physical VPN server. Why have another kit at all for a rare chance it won't come back up... If it doesn't, you probably have other issues.