Deployed and actively used by some larger european companies, we also got feedback from some US companies that use parts of our work to harden their systems.
Maintainer here, we use a collection of baselines that are derived from internal guidelines and CIS benchmarks. The baselines have some more information as to what is done. For example SSH: https://github.com/dev-sec/ssh-baseline