I work as vmware administrator for the Norwegian Tax Authority, and I manage massive deployments of virtual servers.
Our organisation have done a very substantial research and investments in security, and there is NO better way to ensure that all VMs satisfy the same required security requirements, than to start with a hardened pre-configured template.
However there is one factore you need to have in mind, upon deployment the VM runs sysprep, and any settings that is reset by sysprep will not be same as on template. If there is security settings in the VM itself like firewall settings, certificates or other similar things, then you rather deploy those post-deployment using a GPO instead. This way you ensure nobody can change them when they are deluvered to use.