Yes indeed. It's the "if possible" part
It's for a company with multi-layered management team and it's also holiday season so currently there are little people that are able to make decisions on this (the rest went skiing :-))
So would be great if Cisco could state that it's fine to upgrade at a somewhat later time if the management interfaces are closed off.

But how would you close the "web-based" management interfaces?

I couldn't think of any settings in the GUI (probably also no command via CLI, but haven't checked that)

There is a firewall in front of the VCSes. 

Also under System > Protection > Firewall rules you can set up rules on the VCS itself.

Ok, yes, but that's the normal setup with the firewalls.

But still, you can't disable the full web service. If you would block the traffic (e.g. 443), then you won't be able to manage it via GUI or will cut of your MRA feature (on port 8443).

You could re-configure the GUI port to e.g. 7443, but then this port is open again.

Ah yes. On the VCS firewall rules you need can only allow, block and drop.
On the "real" firewall there you can block everything except trusted address.

Still you would not really shutdown the web service and as such you would be affected by the defect.

Having rules in place to limit traffic to the bare minimum for the service to work is best practices. Part of this would definitely be to only allow access to the web UI from internal sources.