@britechguy I stand by what I said, even the minor cases you're listing off.
Each and every customization is a change that must be managed, and as such reduces total security.
That reduction is quite variable, from the practically nonexistent to criminally negligent or malicious. But it's still a reduction.
Even a simple UI change causes anyone auditing the system later to account for it in the way they interface with the system, and can become a source of error.
So when I say reduction in security, do not constrain yourself to the limitations of what most consider cybersecurity, or information security. I'm talking about security as a raw, wide open concept that encompasses physical, interactive, virtual, network, and anything else you can think of that goes before the word. In this sense it's more akin to the concepts of risk and change and how these factors mold the human behavior around themselves.
It's one of those things that will make your brain melt if you're thinking about it correctly. But documenting this stuff is what a cybersecurity professional does. Why? Because you need an inventory... of everything.
An inventory of assets, configurations, changes, and even people.
Because you cannot secure anything, if you do not know what you're securing first. The first step is always an inventory or an assessment. And that inventory or assessment is incomplete if it doesn't have all the configuration items in it. A configuration items list must also include personal UI tweaks at times!
And it's those times that I ask myself why the heck I chose this profession.... but here I am!
But that is also why "defaults" are such a good baseline. Everyone has the same "default" configuration on any given software or hardware configuration. No change items from that point or a very short list is an easier list of things to review, and potentially have to mitigate.
