You'd be surprised. Any organization regulated by federal government entities, such as banks via the OCC, FDIC, etc are being required to "meet" CISA guidelines. ESPECIALLY those with federal/military contracts.
CISA has a lot more sway than you'd think in how businesses operate from a security point of view.
Being this broad allows for some more latitude by the businesses / sectors following these guidelines. But they certainly could've been more thorough in their approach without much push back.
As someone who is involved in compliance in these industries, I would be surprised to see CISA having anything close to the impact you described.
All I see are watered down checklists that can be verified by any human being who is semi-literate and may or may not have any relevance to security best practices. They probably were influenced on some level by CISA guidance if you're talking about .gov or commercial entities, but is nowhere near the level of impact you mentioned.
Do you have any examples of CISA guidelines having a meaningful impact on business operations?
CISA has a lot more sway than you'd think in how businesses operate from a security point of view.
Being this broad allows for some more latitude by the businesses / sectors following these guidelines. But they certainly could've been more thorough in their approach without much push back.