Microsoft
MicrosoftAuto-run? Do you mean any code that's in the Workbook_Open event? I'm not sure how that is any less an example of 'removing features' than blocking macros on files originating from the Internet. Apart from that, it would be trivial to circumvent that solution, just by putting the malicious code into a different event and then artificially triggering it. A limited disabling wouldn't be effective enough in preventing malware attacks from being able to deliver payloads.
Your point about 'secure by default' not applying due to users being unable to change the default behaviour is strange... several methods have been documented for how to avoid the block and therefore change the behaviour.
This block is also limited to macro-enabled files with the MotW attribute... which itself is trivial to remove, even for relatively unskilled, non-technical end users. Anybody could be shown how to do that within 30 seconds. And then hey presto, your 'disabled software' is re-enabled and your end user has had to think twice before enabling potentially dangerous active content.
It's best we get used to the idea of VBA being a high risk way of developing solutions, and accept the inevitable safeguards and restrictions that will have to be introduced to keep the platform alive until it is finally retired,and let's be honest, the writing is on the wall here in that regard. But that won't be for a while yet, I expect, certainly not until Office Scripts become more established and better conceptualised and implemented, so as to provide a viable replacement.
