HCL have been good on changing defaults in upgrades of Domino settings, particularly on TLS ciphers (and moving them from the notes.ini).
I think we should be generally moving towards the most secure option being the default (useless you specifically set it another way), also generally any "consensus" type of settings that are explictly set in many (well managed) sites should probably be default.
I don't see any reasonable reason why the default on any new server(and likely server upgrades - with an optional tickbox - do you want to apply new defaults to this server) build shouldn't be
-Go to the latest available ODS on new server registrations and server upgrades with possibly a prompt similar to the upgrade your domino directory design prompt on first start i.e. do you want to upgrades your ODS level y/n do you want to compact everything in the data directory to upgrade the ODS now warning if you have a large amount of data this may take some time y/n (and apply the ODS level via either server doc or configuration doc, rather than notes.ini)
-Turn on port encryption/compression
-Compare public keys
-Log public key mismatches
-Automatically Restart Server After Fault/Crash.
Most of these likely could be achieved without massive development effort and aggregated together I think you're defaulting to more secure, easier to setup servers.
There's probably more that make sense (transaction logs maybe, certmgr as a default task) the community should likely be engaged on same (and the option should be available to de-select any of these).
Could not agree more.
However, overwriting settings that customers (knowingly or not) have set, will cause problems. e.g. Public Key checking will reveal that the public keys stored in the NAB are out of sync and a cleanup action is required that potentially can take a long time.