I find the pay-to-play security that microsoft has in this instance to be quite shitty. If you make a complex ecosystem like exchange and deny access to complete logging allowing threat actors to go under the radar, you are a part if the problem and actively helping the threat actors.
I can look past them refusing to use vulnerability, it just seems like standard corpo double speak, but it is a bit odd for Microsoft to not use it.