If the cameras do not need to stream directly to a remote network client (in a different IP subnet), but always are viewed through the VMS you can do some things to reduce the exposure introduced by cameras (or printers, or other "dumb" devices who are not really so "dumb"...).
One of the options when designing a flat network that is able to slightly increase the security is to intentionally misconfigure the DHCP scope for those MAC addresses which are cameras (called reservations), or to statically configure by not providing a default gateway. (or providing the wrong one).
If you provide one that is currently off-line you can bring the router IP online if the camera needed to directly download firmware or something and then turn it off again after use. If you always manage them from the VMS or at least locally, they will likely not ever need a default gateway and that tends to prevent them from communicating via the Internet.
Filtering by MAC and/or IP at the firewall is also helpful. There are no perfect security options, but if they are on the same IP subnet as everything else, then even a little helps.
There are lots of ways around simple fixes like this, but if several layers of these simple things are implemented, it is MUCH more difficult for malware/bad actors to tackle each and every one of these in one exploit. For a person it is not so tough to beat, but currently most of the malware generally assumes the machine is configured correctly for the environment. (not all however, but all the camera exploits so far I know about assume the TCP/IP stack is configured correctly)
I am not a camera expert though and someone else here might have better information.