I've worked on and off in the medical devices field for a long time, and have been directly involved with the FDA approval process of several products. One thing I can add to this discussion is that anyone who has been through this process recognizes that "not legally enforceable guidelines" still need to be addressed before one can actually get a product released. Sure, maybe an organization could argue around them, but there are so many ways that the FDA can hold up a release or generally cause an organization grief that it's simply not practical to do so.
The bigger issues are 1) that these guidelines are relatively new and have only fairly recently been getting enforced, and 2) the people doing the reviewing don't always have enough security knowledge. For #1 it looks like loss of privacy is now starting to get acknowledged as a form of harm to the patient and so security is starting to get lumped in with other risk analysis, and for #2 consider that "FDA" stands for "Food and Drug Administration" -- "Medical Devices" isn't even in the title and it's certainly not the prime focus of the agency.