Sometimes, a different voice can say the same thing and it is able to
get the message across:
There is no particular policy about the levels of security that must
be provided by all/most/some protocols (except, I guess, for the
recent routing protocol requirements) or the particular mechanisms that
must be used to provide (or not provide) such security.
There IS, however, a requirement that specs make explicit statements
about what the provided level of security is.
If users are comfortable with none and want the service provided by
a protocol, then that's fine. Just as long as the spec contains
a statement of the security-related issues for the spec.
Dave