is your VM safe enough?

A VM is only safe when it's powered OFF

Why?

You have prepared your VM with CDD and you want to be sure that changes will be saved on the original ISO so editing a live machine, will not be possible. You are forced to firstly update your versioned CDD/ISO so who will come after you, will be able to exactly understand what and why you did.

In my opinion, the minimal and obvious thing required for a production server, is to disable root user login. This happens by default on many recent distros and it is quite useful but the "default" user may be able to execute commands via sudo, so let's protect against this unwanted behavior.

How?

sudo apt purge sudo  

Be aware that if you followed my CDD guide you may have disabled root login so su will not work.

After this command, no more root commands are permitted.

Do I need to reinstall for update something?

It really depends on what you want to update. In my opinion, changing something little, like a configuration, could be handled with a simple GIT provisioning system.

For something more complex, it could be safer if you edit the original ISO and reinstall the SO, this because you will always have a working "plug-and-play" ISO that will just work after a fresh install. Just think about a disaster recovery (es: a non repairable RAID that fu**ed the server..)