I always forget about that option, but wouldn't you want at least one other process running other than networking and iptables? I like to get reports from time to time of attempted break-ins. Since the drives are not mounted there would need to be a way to gather this information and report it somewhere, like via email or writing to a remote drive? Perhaps even a CD? Writing to a remote CD might get a bit costly under heavy fire, but nmight be attractive for a commercial server.
Well...yes, exactly. But, at the end of my *long* spiel, I did mention that it's optional to keep the syslog daemon running, configured to log to a remote server (internal), and you would be able to gather your logs and run reports on them this way...
That, and unless you're using packet-writing, burning to CD would still require a mounted filesystem to dump the logs to in order to burn the CD, as well as the extra effort of writing scripts to automatically burn the CD's (if going the multi-session route) and the daily (or every few days) routine of dropping fresh CD-R's in the drive.
In all, it's an extremely good, reliable, *secure* and easy solution to keep your firewall secure, while maintaining ease of configuration and the flexibility of a full system without having to do the whole 1.44 - 1.8 MB distro-on-a-floppy or LiveCD act, neither of which provide easy ways of keeping logs (unless you configure the syslog daemon on the floppy to dump to a remote server, not much space left on those for logs, or the CD version which will lose it's config after a power outage...)
On the other hand, unless you're in Molten Core combat, and are noticing lots of lag due to heavy repeated hits to your IP, who needs logs of attempted break-ins when they're not successful? :-)