Sure, but that is equivalent to removing the vulnerable service entirely and the features it was offering. Listening on port 631 for connections from any machine is the entire purpose of cups-browsed, it's the only way to do automatic printer discovery. If we think the port should be closed, then Ubuntu and the other distros should also remove this service, at least from the default installations.

Yep SOP is to block all ports that I haven’t personally white listed on all my systems.