@britechguy
The good news and the bad news is... Microsoft is doing this.
If I configure an M365 tenant right now, the defaults it gets are drastically different than what was there a year ago, which don't even hold a passing resemblance to what was there when the platform launched.
The problem is... those are DEFAULTS. At no point does Microsoft dig into these systems and update them. The setup might be OK today, but every so many years you need to dig through there and audit it again.
As service providers we have a simple choice...
Put the time in as I have, or watch your customers get hacked...
Though... I suppose you could also contract that service out to a 3rd party and have them do the audit. Which is what my current workplace does, we have our own Security Operations Center (SOC), and we white / grey label that thing all the time.
From a compliance and liability perspective you really want a 3rd party doing that work anyway. The courts and the insurance companies love it.
But Microsoft will not do it, because they cannot... The compliance rule set includes limited estate ownership. That ownership means Microsoft has to stay out of your chunk of their space you're renting to a large degree. Much like how a landlord cannot just come into your apartment without notice.
That isn't to say they do not ever make sweeping changes. They're doing the Security Defaults push if you don't have any Conditional Access policy update right now, that started in May. So they do update things when they're huge, but they have to give months of notice, and it breaks stuff... and this too gives them bad press. They simply cannot win here.
P.S. The PowerApp integration being cried about in that article you linked? That was actually a sold and advertised feature of Power Automate!
It's not a bug it's a feature! literally applies here.