It certainly feels like one of those interesting contradictions. You receive a "hardening guide", which, as you'd expect, details the ports in use, so you can lock the other ports down.
It then lists every service in use, and asks you to open said port. The end result is security that's only improved on paper.
Unfortunately this sort of political game is what happens when something is quite secure by default, as opposed to Windows "have a million services listening that you don't need". Every one of those ports listed are required for some piece of functionality. CIM for example, provides hardware monitoring. None of those are required to be accessed from any devices other than other ESXi servers, or the vCenter server. I would recommend running these servers in a management LAN - and then nothing needs to be opened but the RDP port to your vCenter server.