Final answer:
The few steps needed for default IIS security in Windows Server 2019 are due to the minimal configuration design of IIS for basic functionality. Additional security measures are typically required and administrators are expected to customize settings to suit specific needs, despite the enhanced security protocols in Windows Server 2019.
Step-by-step explanation:
The question concerns why there are so few steps to secure default IIS in Windows Server 2019. The most accurate answer is that IIS is designed with minimal configuration requirements for basic functionality. This implies that IIS, when installed, is configured with some default settings that allow it to work out of the box for most common scenarios without further complicated setup. However, it doesn't mean that the default settings are the most secure; security is often a balance between convenience and protection. Administrators are expected to evaluate their particular needs and apply additional security measures as necessary for their environment.
It is also essential to note that while Windows Server 2019 inherently has stronger security protocols compared to previous versions, that doesn't exclude the necessity for proper configuration of IIS or any other service running on the server. In fact, Microsoft produces best practice guidelines and tools to help with securing services like IIS.