Many security standards are broken anyway
Cyber Essentials Plus includes a vulnerability assessment which only cares about High or Critical rated vulnerabilities and the targets scanned only have to include those where end users log into them interactively. So you can have an unpatched domain controller which results in the next big WannaCry-style incident and still be certified as compliant by your assessor. Or even worse, you can patch your stuff but use HTTP with plain authentication or have a PPTP VPN without PEAP to secure the authentication packets and be fine for both self assessment and verification! Heck, feel free to NOT use full disk encryption while you’re at it!
But if you dare to have Windows Insider Preview on any of your computers you will fail, as it doesn’t meet the criteria of being supported by the software vendor, preventing IT from getting clued up about what’s around the corner in a meaningful way.