Exactly.
I am air force IT. We've been rolling out "SDC" or Standard Desktop Configuration for years now. Now there is SDC II -- The Vista SDC. We also have SSC -- Standard Server Configuration.
These really aren't much more than supported nLite windows load discs.
The SDC has:
-Most of the drivers we need including SATA, mobo drivers, network drivers, etc
-Obvious fixes to password complexity that pretty much anybody can hardwire after the fact, but ours is pre-set
-Altered admin account name, which again anybody can do after the fact but only ours is pre-loaded
-All the current patches, usually only 5-20 updates need to be applied after installation, and those are all controlled via domain controllers and login
-Biggest advantage really is application testing...if it works under SDC, then it works everywhere
All this, and our networks are still ridiculously porous. I have unix and linux experience. I am also Security+ certified, among many others. My home is network secure than the Air Force. And I don't need to spend millions of dollars doing it.