It never made sense to me that large software suites like these don't offer a secure by default option on creation or as a progressive migration after creation. Why soo many steps...
Secure is very subjective. One of the tasks in the article is enabling email quarantine for encrypted attachments. What if an org receives a lot of encrypted attachments as part of their business, that option would slow them down. Or what if an organization is in a country that can’t easily receive yubikeys, why would they want to enforce those?