Agreed on all points. The FDA uses a multi-pronged method to manage red without changing the law.Personally, I think the FAA was pretty clever in using advisory guidance for this (as it does for many other things) instead of issuing regulations which technology might moot in a month.
All the FAA is saying is, "your electronic records need to meet standards of authenticity. Here are some you can follow as a 'safe harbor.'" Doesn't preclude someone, particularly a company, from looking at other industry standards which accomplish the same thing, perhaps updated ones that are maybe even better. Pretty standard fare from what I've seen in other regulated industries.
Your prior company? Well that's what compliance counsel or other compliance professionals are for. Not SGOTI.
Law is writer. Reg is created and put out for comment. Comments are reviewed and the reg is tweaked.
The reg is released with a preamble that goes over every comment and the agencies thoughts and intent are defined so we can know the mind of the regulator.
The agency uses a concept of Current Best Practice so as tech or law moves, the agency can hold companies accountable for how the do work.
For highly complex issues they issue Guidance Documents that provide detailed 'why/how/who' directions.
It works pretty well.