They are only in violation of PCI requirements if the unpatched servers in question processed/handled credit card numbers. I could not glean from TFA if this is the case. It's bad practice to leave unpatched servers that don't process sensitive data, but it's not uncommon, unfortunately.

Servlets don't restrict network connections, and people do it all the time to talk to their database. I know you're not supposed to spawn threads with EJB (because transaction information is kept in thread local storage), but I don't recall anything about not spawning threads being in the servlet spec. I know of a lot of code that does it in various containers without problems.