Well, here is a mine set of "why"-s.
I'm a long time prophet of a good old idea "the best AV must contain the brain.sys driver" so last few years In't use any AV but a SuRun + HIPS (Malware Defender) chain and Sandboxie or VM sometimes. I've trying CIS many times starting from a late 3.x versions IIRC but constantly unistall it and returns to this combo. So, well, my top of a
stupid questionable (this opinion is based on a long-time multi-year experience) things.
1. CIS "configurations" is a bullrubbish* -- it didn't allow to easy switch between different protection levels because every time when I switch to a previously unused config I need to re-create all rules starting from scratch.
CIS "Sandbox" is very hard and (mostly) stable, and "Auto-sandbox" works good enough but it miss two important things -- here is no any way to...
2. ..."transfer" a running app out of SB -- the one only way is to relaunch it completely;
3. ..."transfer" a sanboxed app data out of SB -- while it's possible to copy out a new/modified files here is nothing to do with a new/modified registry settings.
Firewalling in CIS was one of the best for a very long time but... Hey, devels! It's the 21 century today! And CIS networking, to be more precise -- addressing -- looks at least "ancient", to not say more. It's a bunch of private/mobile nets around the every corner today and this nets uses the same addresses (like 192.168...) very often. And both of mine-best-friend-home-net trusted net and mine-favourite-pub public networks can use the same 192.168.1.x making all rules (and especially "Trusted networks" paradigm) absolutely useless at least and may be dangerous.
4. Netwoks addressing scheme in CIS FW rules refers to a net/mask only and didn't allows to make a different rules for the same addressing
And last but not least
5. CIS UI goes more and more housewife-oriented and looses small but very usefull features like a tiny button to call a Process List that been placed on the "Home" Tab and almost hidden too far away in the last versions.
1. Put out [a user-created] app/net/hips rules into a separate config "area" allowing to reuse this rules with a different configs (mark an every rule with a "mark" pointed to a config under what it was created if you really need it).
2. While a CIS drivers intercepts almost every kernel/OS functions calls there is a only one little step to go: realise an ability to "unhook" apps (freeze process, modify its internals to point to a real functions, unfreeze).
3. "Transferring" of not-runned app out of SB -- it's extremely simple and here is nothing to say -- just copy files and merge registry.
4. Networking addressing should take into account not only address/mask but an other data too -- for example Def.GW and/or DHCP DNS etc. IP and/or MAC etc. -- like this planned in the Win7 "Net Detection" but more smart and not so ugly.
5. Make somewhere in Options a [deeply hidden] option
"I'm not a blondie" "I'm power user" that unhides all useful UI elements (like above mentioned "Processes" button) that was removed during 3.x -> 4.x -> 5.x "redesigning".