Agreed, shutting off all access is silly
Though I'm assuming that if you shut off SSH you will still have console access, so the idea of shutting off SSH is to make it inconvenient for dumb sysadmins to login and change things willy nilly. Obviously you must have some form of access to do diagnostics, because monitoring doesn't always provide enough info to know what bit of hardware is going bad. I wouldn't go so far as shutting off SSH myself, but the idea of cloning servers instead of installing them all 'properly' is something I've long believed in.
Back in the late 90s I built a standard install for my 100+ HP-UX workstations. HP-UX allowed building a single kernel that supported all the different hardware types (this was before the 64 bit CPUs came along) by including the necessary drivers in the kernel's system file, and resource allocations could be done by percentages to account for different amounts of RAM.
I put that common kernel and the rest of the OS into a giant tar file that HP's installation software would let me deploy in lieu of their standard install process, so I could re-image a workstation in about 10 minutes. I had written a few custom scripts that ran on the first boot and 'personalized' the workstation with its own name, IP address, etc. based on its MAC address. If there were any problems with one of the workstations the first step (after checking dmesg and other diag logs) was to re-image the workstation and see if the problem went away. If it didn't, we could rule out software as the cause for something that was only happening on one workstation since we knew the software was identical on all.
The workstations were never patched or upgraded, instead the gold image was altered and redeployed from scratch on every workstation, which I could do in an evening from home doing a dozen or so at a time to keep from overloading the server/network.