My understanding (after only a few days configuring Moodle, so I may be wrong) is that it isn't the roles that you edit that matter so much as to what contexts those roles are assigned. The Authenticated User is the default system role, so every other context inherets it's capabilities if you don't put something else at the system level. Simply changing the permissions in the Student role to Prohibit works as long as the Student role is assigned to the system context as well.
In my tinkering I have noticed that assigning Student as a system roll made locking down access very easy. For the few things I want students to have access to I instead set the Student role to Prevent and create another role for that feature with the Allow permission.
For example, I wanted all blocks except for Navigation and Settings disabled. ALL block permissions are set to Prohibit except for moodle/block:view which is set to Prevent. I then created a new role with moodle/block:view set to Allow and assigned that roll to the Navigation and Settings blocks. Works like a charm and I have no "Customise this page" button.