If you’ve ever tried svcutil.exe to import WSDL which has doesn’t have <sp:OnlySignEntireHeadersAndBody> specified in the security policy, you’ll know that this doens’t fly. SvcUtil will tell you the the security policy is not supported. So why is this? I assume this has something to do with the a statement in paragraph 6.6 in the WS-SecurityPolicy specification, which states:
Setting the value of this property to ‘true’ mitigates against some possible re-writing attacks.
So apparently Microsoft decided that setting it to false is not a good idea, and decided not to support setting it to false (omitting the element).