There are a couple of conflicting trends here. Most IETF security-related work is aimed at the public Internet, not internal enterprise. On the other hand, it makes sense to want COTS solutions and not purpose-built things. We have direct experience with users being forcibly “downgraded” when options to do that are available which is why many participants are loathe to add things like “static RSA key exchange” or “no content encryption” to the protocols developed here. As Paul alluded, you’re unlikely to find much agreement for your use-case given the perceived risks.
On the other hand, you might be able to convince your vendors to support RFC 9150 and make it a requirement in your RFP’s.
