<sigh> 3.2-A says that each RSO is expected to do everything in BCP 40 as if each RSO stands alone. Thus, 3.2-A goes beyond BCP 40 to make it per-RSO.
I'd agree that BCP40 is sort of a wrong target for per-RSO expectations. BCP40 is saying what the system must do, and there are likely elements within BCP40 that will apply to each RSO as the system can't support BCP40 if each RSO individually doesn't uphold those parts. So it's confusing.
Looking at all the MUST requirements in BCP40 (aka rfc7720) are required across every instance, which means we should be able to point at it.
IMHO, this weird situation derives from the 001 requirements wanting to refer to those other expectations, which we should do, but at the same time list them as "external".
Maybe the right thing to do is drop both 3.2-A and 3.1-B in favor of a more generic statement like "In addition to the requirements in this document, requirements from the IETF on root server operators are documented in BCP40"