Not in their interest, is it?
NCSC may be part of GCHQ, but their remit is to protect government (interpreted broadly) systems, and UK businesses.
There are plenty of other people saying password resets other than when compromised are a bad idea.
If Citrix wanted to do something useful, they could check new passwords aren't in the Have I Been Pwned database.
Biting the hand that feeds IT
