You think the default web app web.config files are bad in their vanilla form, just wait until you have to deploy into a secure environment. The Web.config is just one link in an inheritance chain that flows down from %WinDir%\System32\intetsrv\config\Applicationhost.config through each application directory to your web site's directory. You haven't lived until you've had to walk every config file in this chain to find the one that has a duplicate ISAPIRestriction or Authentication tag definition (this breaks the entire IIS worker process).
