History has shown this argument to be wrong. Inevitably, successful
protocols - even if developed for limited use - wind up used in a
broader environment, where the initial security assumptions do not
hold.
To solve this problem, the IETF requires that *ALL* protocols provide
appropriate security mechanisms, even when their domain of
application is at first believed to be very limited.
It is important to understand that mandatory mechanisms are mandatory
to *implement*. It is not necessarily mandatory that end-users
actually use these mechanisms. If an end-user knows that they are
deploying a protocol over a "secure" network, then they may choose to
disable security mechanisms that they believe are adding insufficient
value as compared to their performance cost. (We are generally
skeptical of the wisdom of disabling strong security even then, but
that is beyond the scope of this document.)
Insisting that certain mechanisms are mandatory to implement means
that those end-users who need the protocol provided by the security
mechanism have it available when needed. Particularly with security
mechanisms, just because a mechanism is mandatory to implement does
not imply that it should be the default mechanism or that it may not
be disabled by configuration. If a mandatory to implement algorithm
is old and weak, it is better to disable it when a stronger algorithm
is available.