The issue is 99% don’t know them and are not very good at following them. And the cost of error is very high.

I’ve seen a lot of startups that failed to implement even google oauth securely.

So yeah it’s a far cry from fud and you really should not do it unless you are actually good.

There are plethora of mistakes one can make in implementing AuthN/AuthZ, and many of them almost immediately will lead to either the direct leak of PII or can form the start of a chain of exploits.

Storing password hashes in an inappropriate manner -> BOOM, all your user's passwords are reversible and can be used on other websites

Not validating a nonce correctly -> BOOM, your user's auth tokens can be re-used/hijacked

Not validating a session timestamps correctly -> BOOM, your outdated tokens can be used to gain the users PII