With the default key hierarchies, the benefit is more limited. It raises the bar. Implementing known vulnerabilities takes work. And not ever configuration is vulnerable to every issue. And, for a lot of the vulns, the OS vendor shoves things in the dbx to mitigate.

With custom hierarchies, it's a bit more compelling. But it's a lot of work to maintain.