Often referred to as being "a mile wide and an inch deep", the CISSP covers a great number of topics but often only superficially. That's by design and should not be confused with deep expertise in any one field but a broad understanding of security concepts.
For over a decade I have been explaining that the purpose of the CISSP exam across the domains (as opposed to the experience requirement) is to make sure that certified CISSPs know enough about the breadth of tasks needed in INFOSEC (see Security Engineering by Ross Anderson) to look at a security engagement and know what areas they ARE SMART to apply, what skills they need to GET SMART to apply, and what skills they need to HIRE SMART to complete the job.
Making all aspirants study across all the domains, even if they have actual expertise in only one or two domains or sub-domains, serves the purpose of addressing what they don't know they don't know, moving many topics into the category of what they know they don't know (takes us back to GET SMART or HIRE SMART).
If a CISSP with only business continuity planning (BCP) and governance, risk, and compliance (GRC) expertise sells himself into a firewall management job, shame on him.
If that same is CISSP is straightforward about his real skills but HR hires him for the firewall job because he has a CISSP, shame on the HR and hiring supervisor folks.