Whose idea was it that every single security standard should include "no server should have a port open to the public internet"?!

"This server has port 80 and 443 open to the internet" is a risk I need to close so often and I hate it