I'm getting dinged in Microsoft Secure Score for "Retain spam in quarantine for 30 days". When I check my policies, they're configured to retain suspected spam for only 15 days.

I've done lots of googling, and can find lots of places saying 30 days is the default - apparently it's even a question on the MS-500 exam - but nothing to indicate why Microsoft believe keeping it longer is more secure.

The only thing I can think of is data integrity - you're giving users a month to realise they're missing a false positive rather than two weeks - but then 30 days seems very arbitrary. If I set it to 31 am I even more secure? 

I'm happy with 15 days and feel little need to double my Quarantine storage needs, but I worry maybe I'm missing something?