" … I am a lot happier getting security updates from my distro than being on the hook for recompiling them myself in a timely fashion."
It seems to me that security updates for the kernel are only a tiny part of what a distro releases as security updates. For something like a dedicated firewall – if I've spent the time to compile my own kernel, I'm unlikely to be running all the userspace software that a distro needs to keep updated/secured. My firewall box (probably) doesn't need to update to fix newly discovered flaws in MySQL or PHP or whatever.
Right. Additionally everything was configured, where a network service was required (for example ssh) to be only listening on the internal interface. The external network exposure was tiny.
Keep in mind – the people I might have called "overly paranoid" in the pre-Snowden internet era would probably advise you to secure your infrastructure just as much from internal attacks as external ones – anybody targeting you specifically (as opposed to a fly-by botnet powered net-wide vulnerability exploit) is likely to get a foothold on a less-protected machine inside your firewall via non-direct means (spear-phishing an admin's laptop or NSL-ing your OS or router vendor).
That makes it far more "interesting" working out appropriate protection against high level attacks – fortunately for me it's purely a hypothetical defense, my personal (and professional) stance is that if law enforcement or state level espionage targets me, I'm hosed and will happily turn over passphrases and encryption keys to anyone with a badge (and hopefully a court order), and I assume any of the people who I rely on for security (from my ISP to my VPS provider, my SaaS vendors, my OS vendor, through to my hardware suppliers) will sell me out pretty much instantly if the NSA(/GHCQ/ASIO) ask them to. I can _probably_ trust a RaspberryPi that's never been network connected – but it'd be foolish to assume anything else digital I own isn't trivially vulnerable to the NSA if they cared enough about it.
My internal exposure was small because there weren't many people in the office (usually 2-3 at most). In a larger environment I would probably filter to specific admin access points.
I think in this "post-Snowden" era, you now need to consider not just the people on the internal network, but whether any of the gear on that network might be betraying you to the NSA.
I'm sitting here in my loungeroom looking at my printer, the PlayStation, the Media Server, a bunch of laptops, a few phones, a couple of iPads, a Mac Mini, the linux box, a RaspberryPi, the cheapo chinese adsl/wifi box, and the old NetGear ethernet switch – and wondering if any of them are taking advantage of the privileged access my home IP address has on a bunch of other internet connected networks?
It seems to me that security updates for the kernel are only a tiny part of what a distro releases as security updates. For something like a dedicated firewall – if I've spent the time to compile my own kernel, I'm unlikely to be running all the userspace software that a distro needs to keep updated/secured. My firewall box (probably) doesn't need to update to fix newly discovered flaws in MySQL or PHP or whatever.