"n essence, the CSRB report said that Microsoft should feel very bad about the fact that they did not rotate their keys more often—but did not explain the logic, give an actual baseline of how often keys should be rotated, or provide any statistical or survey data to support why that timeline is appropriate."
https://www.defenseone.com/ideas/2024/08/lets-start-treating-cyber-security-it-matters/398534