I understand the need for all Internet-facing machines, let alone DB-servers, to be up to date with their patches. This is perfectly sensible.
I think I've asked this question before. What about machines and servers witin a domain behind firewalls with no access to the outside world? I especially have in mind machines whose OS is no longer supported but runs a crucial piece of hardware or software.
Is it too simplistic to think that this not a problem? To be sure, internal security and physical access are important. Can one say that a system does not need to be patched if it cannot be accessed from the Internet?