Hello. Broadcom acquired VMware, which has produced several changes around licensing and its products (December 2023)

The Free vSphere Hypervisor is no longer available. Therefore, free licenses for this product can no longer be obtained.

The paid versions ESXi 7 and 8 continue with their support scheme. There are no longer perpetual licenses, it has been migrated to a software subscription scheme. It is very likely that the new patches for version 7 or 8 will no longer be compatible for the free license.

The license change is always online in ESXi and does not require any reinstallation.

If you have a free license you are very lucky and could continue using it, since it was perpetual. I simply couldn't apply new patches..

VMware always offered special discounts for educational centers, government and GMOs, but now you should consult with a VMware distributor, things are changing at VMware.

Just remember that there is a minimum of 16 cores per CPU.  So, if your 24 cores is two CPUs you will have to buy 32 cores.

I am having fun with my renewal now, and I will be paying for a bunch of cores that are not going to be used.  This is according to VMware licensing,

Do you really need security updates? I've found out that as long as you don't let a system connect to the Internet, it will be alright. I host Exchange Server, otherwise known as malware and hacker haven. It's like a honeypot. But it cannot connect to the Internet, but you can reach it from the Internet, Outlook on the Web (webmail) on it, autodiscover, Exchange Web Services, everything works. I also have domain controllers that have never gotten a security update and they're just fine.

Better than fine I'd say since they have no access to Windows Update to remotely screw them up. You just need to take really good care of your firewalls and network policies. Nothing in your network should be allowed to connect out if you don't know the reason. Ports 80 and 443, on TCP, not UDP are all you need, others ports are not needed since you should serve all services from the intranet, namely DNS, NTP, etc. and even those should be served by a second layer of servers, for instance, DNS by your domain controllers, but domain controllers (nor any Microsoft product) should be allowed to ever connect to the Internet, so they should their DNS through BIND/KnotResolver/Unbound forwarders/proxies, or place another DNS server to act as a router between Active Directory and the forwarders. Also, find lists of popular/common DoH servers to blacklist them while preemptively resolving them in one of the outer layers of DNS servers so they're blocked at the IP level too.

Use Suricata or another IDS/IPS. Don't use a firewall that claims to do all of this for you, or anything cloud-related, because they will be also collecting information "to serve you better".

It's tedious but you can go without security updates. On the flipside since this work is all done on network infrastructure, which offers many way to redirect traffic while you're working on it and none on the hypervisors themselves. So in other words, you should have to maintenance downtime.