I think _hl_ is thinking of compliance in terms of compliance with a government regulation, or internal company policy, rather than compliance with the TLS standard.
Large organisations may even have a department named compliance whose job is to ensure the whole company obey certain policies, or at least in most cases, that they avoid being fined / prosecuted / shut down for not complying.
In practice this shades over, Compliance may include the 3rd party contractor who wanders into a C suite meeting, wearing somebody else's badge to point out that er, company security policy isn't being obeyed, you there, Bob, this badge I'm wearing is your badge, why are you in this meeting without your badge and why is your badge, now around my neck, still working even though you lost it last week?
But it will also include Sarah, who would really rather be playing Solitaire, and is implementing the policy that everybody needs to check this box which says "I have no outside interests in violation of Federal Rule 1234.567". What is Federal Rule 1234.567 ? Sarah doesn't know and doesn't care. She also has no clue what you should do if you in fact do have outside interests which violate this rule, she just wants you to check the box.
When it turns out the company has over 800 staff in violation of 1234.567 the lawyers will insist "But we checked none of them were violating the rule" and so the company didn't break the rules.
People like Sarah caused the shitty systems to be installed that, you're right, do not comply with the TLS specification, but it's not really Sarah's fault, people like her are always going to exist, we should make it harder to get it wrong than not to, so that laziness results in success.
I agree it's probably not Sarah's fault, but certainly the company would be at fault for incorrectly implementing the TLS standard. Especially if they advertised TLS support to their customers and users.
Large organisations may even have a department named compliance whose job is to ensure the whole company obey certain policies, or at least in most cases, that they avoid being fined / prosecuted / shut down for not complying.
In practice this shades over, Compliance may include the 3rd party contractor who wanders into a C suite meeting, wearing somebody else's badge to point out that er, company security policy isn't being obeyed, you there, Bob, this badge I'm wearing is your badge, why are you in this meeting without your badge and why is your badge, now around my neck, still working even though you lost it last week?
But it will also include Sarah, who would really rather be playing Solitaire, and is implementing the policy that everybody needs to check this box which says "I have no outside interests in violation of Federal Rule 1234.567". What is Federal Rule 1234.567 ? Sarah doesn't know and doesn't care. She also has no clue what you should do if you in fact do have outside interests which violate this rule, she just wants you to check the box.
When it turns out the company has over 800 staff in violation of 1234.567 the lawyers will insist "But we checked none of them were violating the rule" and so the company didn't break the rules.
People like Sarah caused the shitty systems to be installed that, you're right, do not comply with the TLS specification, but it's not really Sarah's fault, people like her are always going to exist, we should make it harder to get it wrong than not to, so that laziness results in success.