"Best practice" in cybersecurity is largely vendor-driven with little to no independent empirical validation.

That standard is likely to lock people into buying some pretty bad software, but it does little to ensure that they're running reasonably secure systems.