Why are the defaults for 'cephx require signatures' and similar still false? Is it still necessary to maintain backwards compatibility with very old clients by default? It seems like from a security POV, you'd want everything to be more secure out of the box, and require the user to explicitly disable security if they need backwards compatibility with ancient clients.