Both sides. If Microsoft know the problem, the standard configuration should default safe and the admins have to make it unsafe, if required.
And, yes, because Microsoft have neglected to do the right thing on their side, admins need to do ensure they apply what Microsoft advises, but refuses to do itself.