I’m starting to update all my 6.x vCenters and vROPS, pending patches being released. You should be doing this, too, since they’re vulnerable to the Apache Struts 2 critical security holes. One thing I noted in my testing is that after patching the 6.5 appliances, their root password expiration settings go back to the defaults. In this case I’d set them to not expire, but it’s clearly not that way anymore:
Depending on your security requirements this might not be what you want. It’s bad form on VMware’s part, changing something that had been explicitly set. I also didn’t test to see if it resets the actual password age, or just the expiry. You might have far less than 365 days before it expires.
While it’s a good idea to rotate passwords, I also hate being locked out of my infrastructure, especially since I usually discover it in the middle of another problem… But to each their own. Good luck!