There's some good points in this thread, and despite its age, I do mostly agree with the OP. Now that these operating systems aren't in daily use the risks are not the same. Sure, if you don't use antivirus and you're installing any old random tat from the Internet, you can still easily hose a system. But it's a bit different when it's not your daily driver, doesn't have any sensitive/valuable data on it, and you've probably already got a disk image of it (right?!).
I have my retro PCs on a separate VLAN. The clients on that VLAN can only access other systems on the same VLAN (for gaming and sharing files between retro PCs), the firewall, a Pi Hole instance for DNS, and an internal FTP server so I can transfer files between retro PCs and the rest of the network/modern systems. That's as much mitigation as I think is necessary. I also have DriveImage disk images of each system on DVDs along with all the drivers and notes for each one so if I have to rebuild due to a problem it's not too much stress. I've made use of services like Windows Update Restored and done a bit of web browsing WfW 3.11, something I never did in period. Even joined some Unreal Tournament online games using the original game running under Win98. Just be sensible about what you get up to.
Back in the day everyone used to connect directly to the Internet without much thought. I remember for a long time doing that with dial-up and briefly with a cable connection, before building a Smoothwall box (firewall/router). It was the norm for a PC to have a public IP address. There were some desktop firewall/security applications just coming about in the early 2000s such as ZoneAlarm that I remember using for a bit of protection. It was a very different time, not least because households usually didn't have multiple systems to share an Internet connection with, so home routers - and the inherent protection that they add - were just not a thing.