If you connect it to a network, it's entirely plausible that there is a path to the internet. Even if it's on an airgapped network, laptops and phones end up on both through accidents...

Or people plugging in USB drives they found outside on ground. Or CD's before that. Or floppy discs before that. ;)

and not just medical devices, but life-support machines running with known security vulnerabilities?

There's nothing inherently wrong with connecting medical devices to the internet, and running an outdated OS on your specialized equipment is fine too as long as it's not being connected to any unsecured networks. But running a known insecure OS on an internet connected life support device has got to be a violation of some law or ethical regulation.

Experience has shown that connecting a device to the open Internet is inherently risky. I'd say any act of connecting a life-support device to the open Internet would have to balance that inherent risk against any supposed benefit such a connection might involve, even if the device manufacture is doing best practices for such a connection.

Don't be too alarmed there are 3/4 classes of device all with differing risk profiles. Patient safety include things like protecting patient information so even systems used to transfer medical records can be regarded as a medical device. Not sure I'd want a pace maker updating online though...

It might not be connected to the internet in an IoT way, but it makes a lot of sense to connect a device to a wi-fi network if you need to wirelessly transmit any form of data.

IoT way? I do not think you can trust traffic to stay local and not leak. This kind of thinking is what got is here.