Segregating unsecure devices

We have a number of devices on unsupported/unsecure OS that we are being told won't be updated and we need to continue to be allowed on the network. We are trying to come up with a solution to segregate these devices and was wondering what people think (we have already said they should just update them but you know how it is). We have layer 3 access switches and separate VLANs for all different types of devices but we don't really make use of ACLs other than some basic ones on the access switches currently as we have a large estate and it would be a lot to manage for our team. The requirement should really just be internet access but they already talking about loads of internal servers and services the machines will still need to communicate with. Management just say 'put them on another VLAN' but that doesn't actually solve the security issue, just like putting the problem in the room next door to you but leaving the door open. We have looked at trunking the VLAN back to our firewalls and handling access from there but it occurs to me that negates any benefit of having IP routing up to our access layer and depending on how many areas these devices cover will mean we are connecting a large area together which is the opposite of our current design which tries to avoid large L2 failure domains. I was thinking VRF as we do currently make use of VRFs on our network but 90% of our access devices don't support VRF and only core of our network does so that isn't an option. Am I missing an obvious solution to this? I don't have huge amount of experiencing designing. Cheers.