In this effort to be compliant in order to avoid penalties, asset owners with limited resources emphasize compliance. After all it is compliance to the standard which allows you to go un-penalized, not security. The audit process and its emphasis of compliance rather than security serves to divert resources from security. Time, money and effort goes into being compliant instead of secure. Again compliant to a standard that has little bearing on true security.
The process is broken, contributing to poorer security through the diverting of resources. Having said that...... I have wracked my brain for a better model and at a loss for a solution, as all the scenarios I come up with involve huge government inclusion into security monitoring and testing.