If you really want to go that way, start with removing the compiler first. SELinux and AppArmor are also something to look into for making sure no one can bring in their own compiler into userspace. It is very rare for that to be worth it.
In general hire a specialist if you have a client requirement and do not have one in-house.
With the newer (i think version 38) setuptools and zc.buildout one can use wheels from within zc.buildout, so this means that no compiler is needed to get lxml and the likes in if I understood it correctly.
But as @Rotonen points out, security by committee is probably not what your clients want