Re: What do you expect from...
So you are talking about decade+ old software in most cases.
And autorun hasn't been enabled by default for many years.
That whole "only runs for admin accounts" has always been bollocks used as an excuse by lazy admins and develepors.
Honestly, 5 minutes with Sysinternals' Regmon and Filemon (from way back in their earliest iterations) would show up where users hadn't the correct rights to run someting, and it could be changed at a file/key level.
But...it was always "just easier" to make a normal user a local or <shudder> domain admin.
I lost count of how many times I saw that particular fudge - especially in Citrix / TS / RDS environments.
Like, in this case, allowing macros to run whether or not a user took the active decision to disallow them is lazy and goes to show that not everything or everyone in open source, or closed source, can follow the concept of best practices.
And many eyes checking the source, while a great concept, only works if the right eyes look at the right area (and that's not a slur against open source).
"...Some bugs and bad defaults in Explorer since Win95 are still there in Win10...."
Could you cite some of these, because a lot of your initial list looks mostly wrong.