Well, not having the host physically connected to both zones would make it impossible for a successful attack on a host to compromise the less secure zone. I personally feel the risk is pretty low, especially when care is taken in the initial implementation of the host networking. But yes, it's true that it's "software", and if your company's policy is to never rely on software based security on the perimeter, then you will have a hard time convincing them otherwise.
I agree with you that having the management network on an internal network is safer, than exposing it to a network shared with insecure hosts, with regard to protecting the virtual infrastructure hosting the DMZ part of your datacenter. I wouldn't want my hosts listening on the same network as my Windows 2003 IIS servers. I'd also prefer not to have to poke more holes in the firewall for my host to have to talk to DNS and whatever may be required for any plugins I might want to use (EMC/Netapp storage plugins, for example).
Maybe you can compromise with your network guys and have them create another network just for host management network (which is a best practice anyway) that is routable, but can only be accessed from the inside network and is screened so that only your internal DNS server is accessible from your host.
As an aside, check out the vSphere hardening guide, you might find some of the suggestions useful.