Why is Microsoft's implementation a problem? Having the setting default to a safe value is the rational choice.
It's like saying having a secure OS/browser would deprive malware authors of revenue, and thus vulnerabilities should be preserved unless the user explicitly opts into patching them.
This combined with governments ignoring it, and actively enforcing GPC... it's questionable whether compliance is necessary (I still suggest treating it the same as a GPC signal).
But future work and effort should be put towards the GPC signal.
It's like saying having a secure OS/browser would deprive malware authors of revenue, and thus vulnerabilities should be preserved unless the user explicitly opts into patching them.