I 100% agree that SSL/TLS is the way to go and should be used, however it should also be noted that many VMS don't support cameras connected in this way.
In addition, it will increase the server load, possibly decreasing the number of cameras per server.
Many cameras do not encrypt the video stream, rather encrypting just the API & web page data. Again, having this encrypted is of importance. Check with your camera manufacture AND VMS to find out how the combination is supported.
Also, make sure to test out the performance of a camera with HTTPS enabled. Make sure that it performs as it normally does - webpages don't slow down, video frame rate doesn't drop, and other features, such as WDR aren't limited. I have seen cameras that have HTTPS as a spec to win a job, but it wasn't intended to actually be used. The web page slowed down to slower than mud when enabled.
Finally, for any system NOT using encryption, it is SOOOOOO important that usernames and passwords are always sent using digest authentication (a basic type of encryption, even with HTTPS off), and NOT clear text. Many cameras default to clear text, which allows someone to sniff the network and easily see the password. I have seen some cameras that have a selection of basic, digest, or both. The both option is just as weak as basic. An attacker responds to the authentication request that they only support basic authentication, and then it allows them in without digest authentication.