In my last job doing public sector consulting, I saw a lot of our customers mandating encryption at rest for all databases without being able to even articulate the tradeoffs and risks, and without also mandating any sort of key management strategy. I saw this on RFC's for different departments in different states. It's clearly become a checklist item. But the incomplete understanding is scary. I guess somebody is going to have to lose access to something big due to an external attacker getting access to a keyserver or to a disgruntled admin to make people understand the risks.