"Security" is not a binary, but a spectrum along which there are various tradeoffs. The vendor attempts to select the best configuration for its average/median user, and that's almost by definition not going to be the most secure configuration (see: tradeoffs).

I do think there should be some UI somewhere that allows for locking all things down to the most secure configuration possible.