My argument is that the blanket "enforce it with laws" is meaningless until this document exists. I'm not saying that I don't practice security in my apps or that no-one should, just that the law (right now) is not the right tool to fix this problem.