I suggest that you update CIS so that in the Trusted Vendor List if an empty entry / null, spaces, or memory points (0x0blah) found it does not process it as a trusted object. This can help with some syscalls and null pointer attacks (*mallocPOINTS=ROOT xd that ofc can occure), so even if an attacker make some progress into exploiting CIS for bypassing it, it can be blocked.
This can help with thread and memory moving spywares and staff.
Long story sort, i got hacked before some time that i was using CIS and it seems that they used what i describe to bypass the protections. That was hidden and not vissible in the trusted list until i bringed it to front by overflowing some things.