If I don't want subdomains to send out email, do I need SPF records for them?

Subdomains are not affected by the main domain's SPF record. If you have a bunch of subdomains that you know will never send mail, the best thing to do is to define an SPF record of -all for each of them. That way, the internet can also know that you intend them never to send email.

Edit: if there is no SPF record in place for a subdomain, recipients who check SPF will see no SPF-related reason to block it.

Yes, SPF will do nothing to prevent someone accepting mail from a subdomain without an MX record. They might choose not to, but as long as it resolves - and sometimes even if it doesn't - they might choose to. That is not an SPF issue.

Your current SPF record will do nothing to prevent spoofing on your subdomains, because as I said, subdomains are not affected by the main domain's SPF record.

I'm sorry this will be a lot of work for you, but if you want to use SPF to advise recipients to reject emails from these subdomains, you will need to define SPF records for them. That's how the protocol works.