If you're looking for a simple answer?
Sure. That's easy. Be (appropriately!) paranoid.
Until you hear otherwise from an authoritative source (and which is _not_ ITRC) that a version or configuration is explicitly _not_ vulnerable, the assumption is that the software _is_ vulnerable. And if you're even operating with an average level of paranoia, not even then.
This (appropriate!) paranoia irrespective of the platform and software; whether we are discussing OpenVMS or anything else.
The web-facing servers I manage get attacked multiple times a day.
Unfortunately for this whole discussion, the OpenVMS web tools and web-facing software stacks are down-revision, and there are various security issues within the various web-facing and net-facing tools. Which is why do not recommend exposing OpenVMS to the Internet.
In defense of the vendors here, security also often turns into a circus; there's no certainty here, and even current-patch systems can be vulnerable to zero-day attacks, and to targeted attacks and spearfishing. And some of the security uproars are inconsequential for many sites; you have to know how big a target your site is, and how much you're willing to (directly and indirectly) pay to (try to) reduce your exposure to attacks. This security stuff gets FUD'd pretty heavily in the market, and it's easy to end up with an inappropriate degree of paranoia.
And one of the oft-overlooked parts of security is having current archives. And a review for the "low-hanging" security bugs that can exist in most any configuration.
