When you start taking into account common requirements such as the Payment Card Industry Data Security Standard (PCI DSS), you will see from crosswalk mapping that these common requirements are more comprehensive than what is included natively by NIST CSF, so you would need to use ISO 27002 or NIST 800-53 to meet PCI DSS as a framework (depending on your SAQ level), unless you want to bolt-on additional controls to the NIST CSF to make that work. Is that wrong? No, but it is just messy when you start bolting onto frameworks.