Having worked with a number of different companies, and these frameworks are the floor of best practices, these frameworks are far above the subterranean caverns many companies operate their security postures from.
You can do worse than The Frameworks! But it doesn't follow logically that The Frameworks are a good starting place --- they can be (really: are) worse than the outcome from simply ignoring The Frameworks altogether.