I noticed the .htaccess code was never changed after a Defender update. The .htaccess file is only updated when a file scan indicates that there is a reason for an update.
Assume Defender is installed, a file scan is done, and .htaccess gets written with settings to close vulnerabilities. Not update Defender, which includes scans for new issues. We go to the Defender dashboard, it shows "the skies are clear", and we move on. But .htaccess isn't aware of the new Defender features.
I recommend that when a Defender plugin update is performed, that the results of the previous scan are removed. This will compel us to do new scans which may catch issues that were not caught by prior versions. It will also force a new prompt to update .htaccess, and that update will then protect against the newly handled issues.
As an example of this issue, in some recent update, the file "ads.txt" was added as an Allow exception. My .htaccess file wasn't updated with this until I forced a new file scan, even though the UI said "the skies are clear".