Windows has many security holes as many unnecessary services running and pose a threat
CIS can include a hardening tool to lug these security holes and thus improve the default security
:P0l
regards
CIS is an OS hardening tool. 
i do do not think so 
Hardening an OS is a completely different ball game then what CIS does.
It’s way to specific to the usage of the system to have a “global” tool for this.
Just look at how many profiles Microsoft ships with their policy templates.
There isn’t just a one-size-fit’s-all setup, it completely depends on your needs.
e.g. do you share files on your LAN? if not you can disconnect the file and printer sharing from your NIC, disable the Netbios over TCP/IP settings etc etc, but if you do use it then this won’t help.
Some reading;
http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml
Probably a bit over the top for a home user but anyway;
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en
since ,
I have always liked comodo for increasing simplicity ,I do not think it is prudent to leave this hole unplugged
you can include a profile to have different levels of patching of os as in defense plus like simple where only basic most vulnerable less common used holes are patched with option and explanation to each of the activity done ,then strict and paranoid level
this will make CIS more impregnable
regards :P0l
What “security holes” are you talking about? If you discover any you should report them directly to Microsoft. Otherwise, Windows is a very secure operating system.
windows secure by default , I do not agree
Can you name some security holes?
i just give one
most of the computers one can easily access dos prompt and regedit
netbios is mostly active
and various others
Those are still not security holes, their just kitchen knifes that could be abused.
The problem here is if you don’t need Netbios you can disable it so it’s not there IF there is a security hole found in it. This security hardening is way to specific for average Joe and depends totally on the need and the environment the system is in.
personally i believe that a common computer user is totally unaware of such small things
these can be easily taken care of by DACS also which can explain each process in detail and the essentiality of a service running
regards :P0l
That’s not a security hole…
netbios is mostly active and various others
Windows Firewall will block attackers from accessing this anyway (not that you’ve mentioned any security holes in it).
if windows firewall is so good why we need third party fire wall ?
and can you prevent scripts from running command prompt without user’s exclusive permission ?
Exactly 8). You don’t need a 3rd party firewall.
and can you prevent scripts from running command prompt without user's exclusive permission ?
Yes, don’t run programs you don’t trust.
If Windows is fully patched and CIS is in Proactive Security the only hole is the user behind the machine.
good to be paranoid
Yes, it’s definitely good for security companies. More people scared = more profit. Good thing you’ve chosen a company with a free security suite, though.
support for 16 bit applications
is turned on by default 
What does that have to do with anything?
this could be totally irrelevant as i feel i’m jumping in with more knowledgeable people here but couldn’t a maliciouse program be written in 16 bit. i’m sure cis would find this wierd and do something about it though so probably not much to worry about right or know?