I'm all for good #infosec practices, but sometimes we dot i's and cross t's just to make our scanners happy because some remediation adds no real value.

For example, denying port 3389 (RDP) in our network ACLs when we never use Windows instances. I'm locking a door to nowhere.