A few years back my college lecturer suggested that the most secure way to setup a (linux) firewall is to not have any loopback (lo) interface and hence it cannot run any local services but only forward traffic back and forth, etc. Obviously you would then have to manage the host from the console.
Someone has a severe concept/nomenclature problem. The presence or absence of a loopback interface has nothing to do with the services that are being offered. The loopback is how the computer talks to _itself_ and if the loopback is vulnerable, it's because someone already 0wnZ the computer.
What is probably being talked about is not offering any services, OR limiting access to such services to specific internal hosts. Another concept is that there is no access FROM the firewall to any other system inside OR out - that is, the firewall is not considered a trusted system.
Gee, my home firewall is an old laptop that doesn't have a case, keyboard or display and offers no network services. Wonder why that works.
and search for "Practical Unix & Internet Firewalls" by Zwicky, et.al.