The current way Conditional Access rules are applied to manage and enforce access use a permit by default & most restrictive CA rule approach.
This approach is counter intuitive to what all other access management approaches provides where they deny by default and then permit the progression through access rules with options to stop processing when a given rule it hit.
The current way CA rules are implemented make it very difficult to implement the required policy and make it very easy to accidentally implement a configuration where an access request does not hit any of the CA rules and is just permitted by default.
Microsoft should provide organisations with an option to configure CA rules to a deny by default approach, support rule ordering and rule assessment stop options.
To start to provide parity with other IDPs the use of If/Else access rules would be beneficial as well.