yeah, I agree with @WANg and @kapone's line of thought. You have to find a balance between security and practicality. Not everyone is a fortune 500 with billions of dollars of assets to protect. "Absolute security" as a mindset will lead you down a black hole that never ends. If your method of guarding against service interruptions (security breaches) involves purposeful interrupting service (disabling ipmi altogether, etc), then what's the point?
You need to find a balance between security effort appropriate for your target size and not making day to day operations a massive hassle
You need to find a balance between security effort appropriate for your target size and not making day to day operations a massive hassle