That's assuming the security models being compared are strict about the things that matter.
For instance, I can be very strict about PDFs on your computer: no PDF allowed. If you have addressed the risks posed by other more vulnerable attack vectors, OK, then my rule reduces the uncertainty of less strict but more complicated rules that would address the vulnerabilities of PDF readers. Otherwise, for example if I'm allowing the auto-execution of apps on removable devices, my strict PDF rules don't increase security.
And might even decrease security in practice if people end up working around your strict rules via an even less secure path (e.g. sending around Word documents instead of PDF, perhaps).
For instance, I can be very strict about PDFs on your computer: no PDF allowed. If you have addressed the risks posed by other more vulnerable attack vectors, OK, then my rule reduces the uncertainty of less strict but more complicated rules that would address the vulnerabilities of PDF readers. Otherwise, for example if I'm allowing the auto-execution of apps on removable devices, my strict PDF rules don't increase security.