That depends on your preference / your security assessment, and so on.
Personally, I'd *ALWAYS* prefer to have the option to patch a machine if/as needed -- even if you end up not doing it for a long time.
With a mere 16 GB of space, do be aware that the WinSXS directory will (eventually) bloat up quite a bit, so you may run into space issues there ... (something I suspect you're keenly aware of) - and we all know how much Windows loves running out of disk space .
There's no right/wrong choice here - only a decision / taking of options ... but I've yet to see an allegedly hardened system that can't be hijacked a year after it's sealing - with the constant throng of vulnerabilities coming out. And that's - "just the OS". It gets MUCH, much worse if you have certain 3rd party stuff up there - (things like Java & Flash have been hemorrhaging security issues over the last decade) ...
So ... up to you / your security team really.
I don't think that in your situation there's a "good" call to make - there's only a "less bad one" to accept as a risk ... with 16 GB of total disk, you're not likely to be patching for the lifetime of the device I suspect.