I'll now annoy and patronize you all by again agreeing with the spirit of this post while disagreeing with the particulars.
Security documentation is different from normal documentation in that it serves dual purposes, and "comprehensible documentation" is the lesser of the two. The more important objective of a security standard is to provite citable line-item rules that can be audited against, and the reason you do that is so that you can make reviews, tests, and audits objective.
You can argue with the specifics of those rules, but even something as obvious as "keep windows synchronized with data" could merit a line item if it's something that bad devs consistantly fuck up, and could be inclined to argue with ("that's not a security problem and nobody has ever complained about it!") in a review.
Security documentation is different from normal documentation in that it serves dual purposes, and "comprehensible documentation" is the lesser of the two. The more important objective of a security standard is to provite citable line-item rules that can be audited against, and the reason you do that is so that you can make reviews, tests, and audits objective.
You can argue with the specifics of those rules, but even something as obvious as "keep windows synchronized with data" could merit a line item if it's something that bad devs consistantly fuck up, and could be inclined to argue with ("that's not a security problem and nobody has ever complained about it!") in a review.