To not be compliant you'd have to do something like run it on the default port with the guest user enabled.
Although I will admit that the truth is sometimes stranger than you could imagine. We were called in after a penetration that got some attention in various parts of the world.
Turns out that a low-level network admin un-racked the wrong equipment, and then bypassed the firewall. Little wonder the network was found, thoroughly penetrated, and then the servers were re-tasked to run an entire segment of a bot-network.
Short form is that you can take a nominally secure platform, and make it mess.
