Because there isn't a Big Book of Industry Best Practices everybody can trivially agree to use?
Sometimes they don't exist - who maintains a sufficiently reputable list of safe email clients and web browsers?
Sometimes they exist but they carry some baggage - the FIPS standards for cryptography are probably fine, certainly better than hardcoding a couple of algorithm names, but they're also controlled by a foreign government.
Best practice most likely wasn't good enough back when the original text was written. But yeah, they should have made it a bit more future-proof, and they definitely shouldn't have copy/pasted the text into new treaties 12 years later.
Sometimes they don't exist - who maintains a sufficiently reputable list of safe email clients and web browsers?
Sometimes they exist but they carry some baggage - the FIPS standards for cryptography are probably fine, certainly better than hardcoding a couple of algorithm names, but they're also controlled by a foreign government.