In practice, when dealing with US auditors and infosec chiefs, saying that "Some researches/guidelines say X is not necessary" will not compel anyone to change because "This is always been this way, and it doesn't _hurt_". The conversation becomes categorically different if you say "The White House says X is not allowed anywhere."