[seancoleman]

Compliance is security, or said differently, non-compliance is a security vulnerability.

In an isolated instance, it may seem obvious that bcrypt is superior to SHA-2 (it sure is to me). But managing security posture at scale, across a massive enterprise with disparate teams is tough. Rogue groups make bad security decisions all the time. Committees are formed, and policies are put into place to guard against this. Auditors are charged to enforce those policies. Changing policy itself presents risk (both organizational and personal/job-related risk). Therefore committees are conservative with adapting to evolving environments.

This is the Occam's Razor explanation for why Things Just Don't Make Sense around many corporate IT security policies.