No. It’s extremely common for security standards to be completely out of step with what’s actually viable in an organisation, and for aspects of them to be ignored, unspoken.