No, it's not really for security reasons. It's for performance (or efficiency). Doing the "yum -y update" in the %post adds considerable time to the total install. I'm working on creating a CentOS VM to be used here at work, and while I'm still in the testing phase, I'd like to reduce the turnaround time. Also, I think I can reduce the VM footprint if I install the final version of all the RPMS initially, instead of installing 4.4 first and then all the updates.
Without re-rolling the install tree, there isn't much way to accomplish building the updates into the installer. You would have to do the install via %post, though with a local repository this shouldn't be overly long.
The alternative (which is much more work) would be to check out the /build directory on the mirrors and consider building new install media with the updates rolled in. Personally this isn't really worth the effort to me.