2)Good job, you have identified why Netflix uses AWS.
3) Reserved instance is cheaper, but at that price still more than a dedicated server and the server typically comes with a 3 year warranty and will likely last past that (Dell will warranty for 6 years). Assuming it only lasts 3 your cost for running on AWS is nearly 3 times higher even when figuring in an improved warranty and OS licensing. I concede that short duration projects or very spiky loads are a great use for the cloud, but long running relatively even loads simply don't make sense form a cost perspective, nevermind the fact that you now lose access to your database if your wan connection goes down (unless you build out multi-wan, but there is yet another expense).
That is a terrible policy. I spent a long night at an office of a fortune 500 company for that very reason. They didn't see any reason to apply bios patches because they were just to add support for newer hardware, not to fix any sort of vulnerability. Fair enough. Several years went by and their terminal server had a processor go finicky on them. They determined the available spares included processors that were compatible. I asked "has the bios been updated to support the newer processors?" I was assured that they do regular patching and it would not be a problem. I arrive on site, install the new processors and get no post. A bit of troubleshooting and we determine it doesn't recognize the processors because the bios was out of date. Really long story shortened - we had to shutdown another server, pull the processors, install them in the problem server, boot, patch the bios, shut down move the processors back in the donor server, and then reinstall the new processors. Of course this was in a server room that was an overstuffed shoe box so a number of acrobatics were required to get the servers extended to a point they could be worked on.
So what should have been a 10-15 minute processor replacement ended up causing several hours of downtime and the unscheduled shutdown of another server.
Don't be lazy!
That said, as someone else stated, I usually wait a couple months to patch (especially HP) unless it is considered a critical issue or I have a straightforward fail-over plan. HP has screwed my arrays etc. more than once with their quality updates.