I only know about CVE-2013-3900 (WinVerifyTrust) which allows modified files to pass signature check unless you tweak registry to enable patches.
I think there must be other instances like this where Microsoft won’t fix vulnerability or chooses insecure defaults, is there a list?
Don’t know precisely, but hear from time to time that Microsoft is notorious for not patching in time in many cases, leaving vulnerabilities for months and sometimes years. I am pretty sure that MS just kinda gave up on the vulnerabilities MimiKatz exploits, so if the bad guys are on your network and you use MS infra it’s pretty much a question of time before they get admin credentials.