IAD recommends not upgrading to ECC in case this would incur significant costs, only to have to upgrade again once they settle on quantum resistant algos. So not because of crypto reasons, not because ECC is more vulnerable to quantum attacks relative to RSA, but because of practical operational and economic reasons. They think they will have quantum algorithms soon enough so that RSA >=3072 is OK in the meantime. At least that's my understanding of what they're saying here: https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite....