Yes, totally agreed that for a LOT of organizations, relying on a system dependency that will likely get upgraded independent of your service is probably the simpler way to go and the way to make sure your TLS implementation stays current. But when you're building tier zero services that must control their dependencies like their lives depend on it, the opposite approach can be quite beneficial, and I don't need Microsoft telling me I'm doing it wrong because I'm not in the 99% use case.