It’s worse & an intractable problem. “Close the damn ports” may very well be one of those useless items for 1 team and relevant to another. So do you have team specific checklists or generic checklists that everyone must follow. If you have specific checklists, then you miss things that are relevant. And what happens when you make a change to how the system works & some item is no longer relevant while another becomes relevant? There’s no easy answers here I think with respect to checklists.
But you can, as an organization, choose to follow one and be "Secure by default", with exceptions e.g. "Open a port other than 443 to the Internet" being understood and risk managed.
It will slow down developers, for sure. But everything's a tradeoff.
I’m just saying that the objection of N:1 ratio of bad to good items on a checklist remains precisely because of the reasons I outlined. I have seen this repeatedly in design spec reviews to the point that people start skipping the checklist because it’s worthless boilerplate.
