As a general rule, vendors have very little knowledge of DBA best practices, so they just toss out some misinterpreted stuff that some junior developer found on some web site which may or may not apply to the current version of SQL Server. I have seen so many bad practices advocated by vendors that I expect it.
The last vendor I had to deal with had an application that required the use of a specific SA password to connect to the database on a specifically named (non-default) instance. Having an application use a hard coded SA password is really bad security, but it's just some medical application, so no big deal. :crying:
At least they didn't tell me to set the databases to simple recovery or not do backups.
Another vendor application (for a building security system) required the use of a blank SA password so I guess it can always get worse.