If implementing a standard leads to an unavoidable security hole, should you follow it?