You are not the only one to have this thought. The problem is - who comes and fixes the mess when the inevitable customizations needed have been done by a contractor who is now long gone? It seems like a great idea at the beginning, but at some point someone ends up responsible for a fleet of AWS accounts that have diverged in different odd ways. Who is that someone? Individual departments? A centralized department?
The latter sounds nice except for the lack of appetite (on both sides of the atlantic) for doing what's necessary to recruit and keep SREs as actual government employees rather than just contracting everything out...
I don't think it ever quite works in practice. Letting teams come pick up the config module off the shelf in January is all well and good, but when the maintainers of the module issue a security fix in October how can you ensure the consumers apply it?
On top of that, how can the maintainers know if a change they make will be safe in the environments of the consumers?
IMO you either offer the whole service (i.e. a PaaS), or you form technical groups within the organisation which regularly share their learnings and experiences. Sharing code (aside from the smallest modules) when you don't have control or influence over the consuming team just doesn't work in the long run.