Yes, products like VMware should be patched sometimes (the updates are cumulative), but the patches come less frequently than a mainline operating system and the potential attack vector is smaller - your hypervisor should not be publicly-accessible.
I'll use VMware ESXi version 5.0 (not 5.1) as an example...
ESXi 5.0 has had the following update schedule:
Between 9/2011 and the present, there have been TEN updates to the ESXi 5.0 product. Out of those, SIX were security-focused updates rolled into the updates bundles with descriptions like:
"ESXi NFS traffic parsing vulnerability" - CVE-2012-2448.
These security vulnerabilities are real, as they sometimes mirror general Linux security bugs, but I think most organizations aren't very susceptible to the risks. It's up to the engineer to assess this risk, though. Would your users want massive downtime to fix the following exploit?
"The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
mount.cifs, does not properly handle newline characters in mountpoint
names, which allows local users to cause a denial of service (mtab
corruption), or possibly modify mount options and gain privileges, via
a crafted mount request."
Maybe? Maybe not.
I run VMware's Update Manager, but only tend to update if I'm impacted by a bug or require a feature enhancement. When run in a clustered setup, patching is easy with no downtime to the running VM's. If no other pressing reasons exist, I'll just strive to update quarterly. Individual hosts will require a full reboot, since the patches are delivered as monolithic images.
As a side note, whenever I inherit a VMware ESXi setup or work on a system I don't normally manage, I often see hosts running that have never had any VMware patches applied. That is wrong!! But I can see how administrators could make that mistake once systems are up and running.