The power of defaults
We all know that most people don't change the default settings. But what if the defaults are poor? Would people change them then? I submit that they won't.
The example I have is vbulletin attachment download permission. The default vbulletin settings, since times ancient, have been to permit guest read access to forums and threads but not to attachments. Downloading attachments requires one to register and log in.
In terms of security, this is a silly choice. People do not tend to post privileged information in attachments on public forums. Either the entire forum is public, or it is not.
Maybe the justification for prohibiting guest attachment downloads was to encourage people to register. Maybe on some forums this actually drives registrations. By and large, I don't think so. Let's broadly divide people reading forums into two categories: those who are looking for information and those who are killing time. People who are looking for information might register if they really need to look at that attachment, but they are unlikely to participate in the forums because they are trying to solve some other problem. People who are killing time are probably going to move on to the next website and not register.
Yet, of vbulletin forums I come across, I would say nearly all if not all of them require registration to view attachments. The administrators are not benefitting from this requirement, it annoys visitors, but there it stays. All because someone at vbulletin decided over a decade ago that attachments should be downloadable by logged in users by default.
When I worked on phpbb one of the defaults I wanted to change was permit guests to view member profiles. Most of the information in profiles is irrelevant to a typical visitor who just came to the board from Internet, except for one thing: the link to view all of the member's posts. To date this change has not made it into the software though.