They are only in violation of PCI requirements if the unpatched servers in question processed/handled credit card numbers. I could not glean from TFA if this is the case. It's bad practice to leave unpatched servers that don't process sensitive data, but it's not uncommon, unfortunately.
Slashdot videos: Now with more Slashdot!
We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).
Servlets don't restrict network connections, and people do it all the time to talk to their database. I know you're not supposed to spawn threads with EJB (because transaction information is kept in thread local storage), but I don't recall anything about not spawning threads being in the servlet spec. I know of a lot of code that does it in various containers without problems.