John,
In general, I don't think this is a good idea. I'd expect the assumption that SYSTEM is not DISUSERed to be all over the place. In particular, it would seriously constrain your startup procedure, as you couldn't SUBMIT any jobs.
If the concern is external attacks, there are several defences, especially if you don't use the account for interactive logins. Start with a completely random, 32 character password that even you don't know. First line in LOGIN.COM:
$ IF F$MODE().EQS."INTERACTIVE" THEN LOGOUT
Maybe add UAF/INTERACTIVE and /NETWORK access restrictions. If the auditors trust the DISUSER bit in the UAF, they should also trust access restrictions.
If you want to go further, jack up LGI_HID_TIM from 5 minutes to a few hours. Then you can DELIBERATELY feed in login attempts with invalid passwords at regular intervals to keep SYSTEM in INTRUSION state. That way even if some external hacker manages to guess your 32 character random password, they STILL won't get as far as the LOGOUT command, but network and batch jobs will still work.
On the other hand, you could just try it and see what breaks ;-)
Check with HP. I think it's still recommended that patches be installed from SYSTEM, and it's possibly mandatory for OS upgrades (though that can be dealt with by temporarily enabling the account).
The big question you need to sort out with the auditors: does the (arguable) decreased risk from external penetration balance the increased risk and cost resulting from running a non-standard (and possibly unsupported) configuration?
(I've been in plenty of places with very high audit standards, and can't remember ever going as far as DISUSERing SYSTEM).
A crucible of informative mistakes
