Un-patchable systems need compensating controls; hardened, locked-down, white-listed from a behaviour perspective, increased segmentation and monitoring and if you can't do that then I'd suggest they are a bigger risk to the org than not having them in the first place.
Biting the hand that feeds IT
