I don't think the rule would be better with more detailed vulnerability scanning requirements! All these things inexorably become races to the bottom.
Yes, exactly, the rules are intentionally broad and vague. You can wave paper at most of them and technically succeed. And then when you release accidentally PHI for the first time and your bullshit comes to light, your chickens will come home to roost. Doing a good job on compliance is less about security and more about staying out of jail.