alt Hacker NewsSecurity field isn't about security, it's about managing liability. "Best Practices" don't need to result in actual security - what matters is that, if you follow them and a security incident happens, you can say you followed the Best Practices and therefore It's Not Your Fault.
You are right. And by now an "it will be fixed next month" seems to be enough. even when nothing is fixed.