Because they/we don't have sufficient integration tests to verify that the core system services are working after tightening down each parameter.

From https://news.ycombinator.com/item?id=29995566 :

> Which distro has the best out-of-the-box output for?:

  systemd-analyze security

desbma/shh generates SyscallFilter and other systems unit rules from straces similar to how audit2allow generates SELinux policies by grepping for AVC denials in permissive mode (given kernel parameters `enforcing=0 selinux=1`), but should strace be installed in production?:

desbma/shh: https://github.com/desbma/shh