If the host machine has antivirus, antimalware, etc. then I would think the virtual machine accesses the Internet through the host, and doesn't need its own protection. Is that correct?
There aren't any reported cases of a breach wherein a vm which begins running malicious code is able to infect a host. However, theoretical concerns have been raised over this very issue. Worse, if a vm gets infected, it will likely end up running a bot that will scan your network (including possibly the host) and could easily discover a hole in your defenses.
So, even if you don't care much about the vm, it is highly advisable to engage in a rigorous strategy of protecting those machines with AV software and scheduled updates. It can be challenging if you don't turn the systems on that often. So, it's generally a good idea to schedule a time every few weeks that you turn on all vm/images and get them all up to date.
If you'd mention a particular virtual host vendor or package, more specific advice may be available as for how to go about developing your vm security protocol.