Next question is what about VMS manufacturer issued patches and upgrades? Do you install them? When, how? What if they address security vulnerabilities?
This is something that should be a written policy. You can a) never patch; b) patch after testing - define the test in the procedures; c) patch the production system, and back out if it fails; d) patch production, and if it is a security vulnerability patchm, and the system fails, then be down until a new patch is out; e) something else. You may have multiple production servers, and can do one as the test.
Regardless, put the policy and procedure in writing and follow it.
How do you determine which option? Which is a higher priority issue? Continuous video monitoring while risking a patched problem, or risking an update which may stop your continuous video monitoring? You may have criminal activity to monitor, you may have regulatory issues with patching or non-patching.
Same sort of thing may apply to your client workstations. Do they get patches, updates, upgrades, etc? Again, written policy and procedures are critical. I've seen desktops where the user couldn't install anything for security reasons, but then couldn't install Java, Flash, or Firefox updates, and that opened the door to vulnerabilities, leading to a security hole.
Think about which scenario you would rather explain to your boss. "I did not run Windows Update, and we got a piece of malware that shut down the whole video system, that would not have gotten in if we updated." or "I installed the latest Microsoft-issued Windows updates, and one of them didn't work. I'll back out the update, though we won't be able to monitor the mob/CBRNE/gambling activity for 3-5 hours."
Next question is do you run security vulnerability tools, such as MBSA, Nessus, Qualys, etc? Do you run it privileged or not? Do you have a qualified system admin, such as a MCSA or MCITP managing the server? Do you use a server OS, or desktop OS? What if you have a Linux OS?
Do you have a BC/DR plan? Do you have a system partition backup? Do you backup the video files? Do you use RAID?
There may be more policy and procedure issues than any of us are aware of...