I'm sure I could come up with lots more but I'd say the key is easy maintenance (live USB is awesome for that), throwaway hardware (no way you'll make even the best stuff last too long anyways), no Internet during classes (classes are for learning how to learn, not actually researching stuff), foster a good atmosphere (this is where the kids "work" so it should be as nice as possible).
I'd also strongly suggest letting the kids take laptops home if at all possible. The more time these kids spend on the computer the more likely they are to be able to use one as an effective tool later in life. Obviously they shouldn't be on it all day like a Slashdoter would be...but you get my drift.
About the multisite issue, I've struggled with using a single Drupal instance for this because of SSL limitations within Apache. My understanding is that a single IP is associated with a single certificate, so a multisite install could only have one SSL-enabled site. Let me know if this is incorrect or if you know of a workaround. Updating the sites with a script is certainly possible, and actually the only way I know of to handle it once you get beyond two or three sites, but requiring extra scripts to do an update is a major deficiency. Check out the Wordpress update feature for an example the way I think Drupal should go.
The security mailing list is excellent and I'd strongly agree that anyone managing a Drupal install should subscribe.
I'll check out the devel's moduel. I haven't heard of that yet.
As for update.php, the actual page states this "Drupal database update...Use this utility to update your database whenever a new release of Drupal or a module is installed." So I always run it when I install a module. This makes sense to me because the update.php script is the mechanism that updates the database structure, I believe, and there's no other way for a module's changes to be inserted into the database...again if I'm wrong please let me know.
You are false data.