“As a general rule of thumb, about two-thirds of security “standards” or “certifications” (though not “guidelines”) make security worse.”