Could Microsoft work harder on this? Sure. Do they have to worry about keeping their Customers happy? Absolutely.
The corporate IT market moves at a glacial pace. Hopefully the rise of IT security issues having actual business consequences will change that, but that's not Microsoft's problem. That's the ecosystem they live in.
Were bad protocol / design decisions made in the past? For sure. Microsoft has been working on this (see Managed Service Accounts and Group Managed Service Accounts). It takes time for corporate customers to adopt these new versions.
Corporate IT won't forklift out old systems without business justification. Maybe the pressure from the insurance industry will help. Pressure from the ransomware industry is a certainly helping, too.
Active Directory is just not developed anymore, its basically abandonware that everyone still uses. The new hot stuff is the Azure AD/Entra ID bastardization of Web Auth plus AD that they try to upsell people to.
https://learn.microsoft.com/en-us/windows-server/get-started...
Including the relevant:
> Kerberos changes for Algorithms used for Ticket Granting Tickets: The Kerberos Distribution Center will no longer issue Ticket Granting Tickets using RC4 encryption, such as RC4-HMAC(NT).
That's just client computer replacement, though. That's a known quantity and is on most IT orgs. roadmaps. We've been replacing computers regularly since we got PCs.
Moving to new AD functional levels, even when the actual risk is minimal, is something I've seen IT orgs. drag their feet on out of fear.
Fear of change is real in more areas than this.
I can't wait to decom our last 2012 R2 DCs and upgrade to something from this decade "soon".