It's literally best practice and the way any sensible organistion should do it. An authentication server is just that - it authenticates. Whether that's RADIUS or whatever else, it should do one job and do it well and have the minimum amount of access necessary to do that job.
With someone like Yahoo's money and resources there is no excuse.
And with an auth server farm, how do you get hacked? It has to be deliberate insider intrusion (i.e. someone who works on those machines). Done properly, even sniffing the entire network around it wouldn't do much and certainly wouldn't be able to affect older logons.
If the auth servers were just doing auth, and nothing else, and isolated, and had a single "auth" port exposed that ran a limited-scope protocol that only returns the bare minimum of data, the scope for attack is almost zero. And you literally lock them away and don't let anyone but your most trusted engineers touch them.
So it's quite obvious that all these places that do get hacked AREN'T running proper auth servers at all.
Even Steam, when it had credit card data stolen, the data was encrypted (so nothing ever came of the data leak) but... how did they get that? Why is that not stored on a completely isolated system? Why were they able to get historical records rather than only those flying over the live network (which is, I admit, harder to secure)? It means it wasn't isolated and secured.
Even CA's have had their root certificates compromised and you'd expect that to be the most secure thing in the world. Literally, make them on an offline computer, generate and sign some other root certs that you actually use, and then switch that thing off and never turn it on again unless you need it.
But, in real life, despite all the posturing about security, none of this ever happens.
The curse of general-purpose operating systems, general-purpose computers and even - as could happen in real life if people took your suggestion - using VM hypervisors as the gateway between your data and the VMs running the outside services (nothing wrong with VMs themselves, so long as the entire server farm was completely isolated from all the others - personally, for an auth farm, I'd use physical servers only to reduce the attack area even more).