(no title)

It's a bullsh*t rule. One that would work is a clear mandate, "if you're found to use env vars / args for secrets, you must demonstrate within four weeks of finding that you have implemented code to clear your process' args/env vars immediately after program startup, for the lifetime of the process (and that you moved all secrets to non-cleartext memory)". Given how frameworky-frameworky much modern software is, such action items make folks think ("how on earth do I get state to openssl&Co without env vars", ...).

But alas, the regulations people shy away from any such precise prescriptions - because then, they have to involve themselves with SRE, SOC, CI/CD, and developers for monitoring, enforcement and training/assistance.

So instead, as you say, byzantine Reuben-Goldberg constructs are created exploiting "every loophole in the book" to comply with the rule but not the spirit; software becomes even more of a performance art.

I think, over time, I have moved into the camp that strongly believes all practical security is security-from-obscurity. Starting with the compliance rules around it.