Why is +::0:0::: not supposed to be found in /etc/passwd?

I was reading the [BSI Security Guidelines (GERMAN)](https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05018.html;jsessionid=2FB12997650B43C2E61B2039333D3BA1.2_cid351?nn=6604938) , on NIS and it explicitly mentioned that one should prevent the entry +::0:0::: from occuring in the /etc/passwd file of the NIS server. From my research I have garnered, that the + would import the entire NIS list into the passwd file. The solution proposed by the guideline, is to add a * to the password section of the entry, which would make the username be looked up in the shadow file. Is this not somewhat counter productive, as it would essentially make importing the NIS list useless (since these do not have entries in shadow)? Furthermore, what would a legitimate usage of this entry be and how could an attacker exploit the entry (without the *)?