Yea, the problem most often in computer security checklists is misapplication of the checklist.

I do cyber security related stuff for the finance and they have some of the dumbest checklists ever.

A more recent one I got was

"We only allow the HTTP verbs 'GET' and 'POST', your application can only use that and the verbs PUT, PATCH, and DELETE cannot be used.

After not replying 'are you fucking stupid' I said

"You do realize that you are using a RestAPI application and that these verbs can go to the same interface to modify the call in different way? Not only would we have to rewrite our application which would probably take months to years, you would have to rewrite tons of applications on your side to make this actually work."

You get these dipshit auditors from other firms that pick up some 'best practice' from 2003 and put it in a list then get a god complex about it needing to be implemented when they have absolutely zero clue why the original thing was called out in the first place.

For those who wonder, typically these verbs are disabled to prevent the accidental enablement of WebDAV on some platforms, especially Windows/IIS that had some issues with security around it. It makes zero sense for such a rule in a modern API application.