They had physical access to the *hardware*, not the software running it. Childs disabled the serial ports, which to me proves he was trying to shore up his "job security". Also, he only had the configs running in active memory, not saved on NVRAM like you're supposed to so if there was a power blip *ZAP* that switch is down. That's criminally stupid, the only reason for doing so is to try and prevent Cisco from physically getting into it.
And it is STUPID to disable the serial ports. All you're doing is making the poor tech from Cisco your bitch while he's there trying to do his job. It's petty and mean. One day, he's going to be the guy to save your bacon. Making his life difficult serves no purpose what so ever.
Yes you're making the switches more secure, but secure from what? Terrorists? Look buddy, if they're standing in your data center, your security is blown and they have better targets than the switches. I'd blow the AC and let everything cook.