"without saying why VMware decided on the extra guidance."
Because it's far past time to get serious about security, Simon. We used to talk a lot about these sorts of things pre-COVID, but trapped at home it's much harder to get the message out about doubling down on basic security processes, and we needed to take a stronger stance. The nice thing about the Security Configuration Guide is that it isn't tied to compliance frameworks & auditors, so you can selectively use it or ignore it at will! But the guidance is out there now for all to see.