The main argument I have heard is it’s less finding exploits and doing real security and more mind numbing auditing and checking boxes not to prevent attacks but to cover your ass when they happen.