See... my security is based on the concept of "What costs the least amount to implement and even more so to upkeep that will mitigate at least the minimum amount of risk this system requires?"

A wargame would be fun... but I think the rules should require that each participant completely publish every step they followed from default install to the entered configuration, if it can't survive the attacker knowing everything about it, it ain't secure.
Each system should be kept online without administrator modification for 3-6 months, if it can't survive that long without patching, it ain't secure.
Attackers should be granted access to the administrative account (u/gid:0/sid:S-1-5-21-XXXX-XXXX-XXXX-500) which should retain all of its permissions (though perhaps not its privileges) again, if the system can't survive this, it ain't secure. (can you say "rouge admin?")

Keeps it more sporting that way, not to mention an excellent educational opportunity. Anything else is just a matter of what new exploit comes out first.

cheers,

catch