I would agree, though I have had a number of long running plants I have sat in front of that were offline for weeks because they were "broken", and investigation showed that the operator had simply forgotten how to look for and clear a startup error....
It is ridiculous in any case, and I don't think it is a good idea. The trouble is, in a long running plant, they will never apply any "security fix" because that means shutting down the system anyway. Possibly even re-commissioning and testing the damn thing anyway, depending on policy. This is why most of the time people go with air gaps and such. Not always possible, but it is a bit of a tricky problem.