We use a 3rd party vendor to scan our site and provide the requirements and recommendations. I have no idea whether this vendor posts these publicly. I don't believe it is much work to enable "remember me" from an engineering standpoint. In fact, I believe, it was extra code to DISable it. So hopefully folks can understand that we are attempting to provide the best security possible on our site, not lazily trying to avoid making login simpler. Like I said though, I will bump up the request again.