As a case in point: https://tools.ietf.org/html/draft-wkumari-not-a-draft-05

I think publishing an IETF RFC on security best practices is hard, but I hope these authors manage to pull through