They are only in violation of PCI requirements if the unpatched servers in question processed/handled credit card numbers. I could not glean from TFA if this is the case. It's bad practice to leave unpatched servers that don't process sensitive data, but it's not uncommon, unfortunately.
Servlets don't restrict network connections, and people do it all the time to talk to their database. I know you're not supposed to spawn threads with EJB (because transaction information is kept in thread local storage), but I don't recall anything about not spawning threads being in the servlet spec. I know of a lot of code that does it in various containers without problems.
While this is disconcerting, it's not like step 2 (being a man in the middle) is easy for an attacker. If they can play that game, you have many things to worry about, which I think is a pretty simple explanation for why people aren't totally panicking over this.