I think the key step is to have a document that describes "everything" 
in this area. 

You can either setup the system so that it is secure and have the 
document describe what services are available and how to turn them 
on, or you can setup things so that the system is insecure and describe 
how to secure it (by turning things off).


My vote would be for the default configuration to be secure - AND 
to have the how-to-turn-things-on document full of warnings about 
the dangers/risks of each service.

How hard would it be to make the install scripts setup a root password?