The whole point that Josh and others here try to make, is that if you want to roll out to a full user base, it is not “just adding some lines”.
Why not just “adding some lines”? First of all the lines should demonstrably improve the security of the system. Second, the lines should then demonstrably not break any functionality that users rely on, and this should be tested first.
For instance, your suggestion to set X-XSS-Protection has little to no benefit, because the modern browsers that support it have the filter behaviour enabled by default. Worse, if enabled (set to 1) it actually CAUSED a XSS injection vulnerability in IE8. And any added header just needs to be tested, for instance, if you would roll out strict-origin or same-origin for Referrer-Policy many Chrome users will now end up with broken websites.
Just to say that adding some lines for your own config is another ballgame than rolling changes out to production. If you do not like that, fine of course: you can always run your own customized post-update script to set things completely how you want it and break anything you like (or not). Or you can make a convincing case how a change will demonstrably improve security, test it well, and open up a pull request.