But you can, as an organization, choose to follow one and be "Secure by default", with exceptions e.g. "Open a port other than 443 to the Internet" being understood and risk managed.
It will slow down developers, for sure. But everything's a tradeoff.
I’m just saying that the objection of N:1 ratio of bad to good items on a checklist remains precisely because of the reasons I outlined. I have seen this repeatedly in design spec reviews to the point that people start skipping the checklist because it’s worthless boilerplate.
But you can, as an organization, choose to follow one and be "Secure by default", with exceptions e.g. "Open a port other than 443 to the Internet" being understood and risk managed.
It will slow down developers, for sure. But everything's a tradeoff.