There are many compliance standards, and of course, auditing is a good thing. I've talked with many security professionals recently about the big picture. Sure the goal is to harden systems and auditing does provide a means to measure that goal.
The criticism of auditing reminds me of criticism directed to the No Child Left Behind Act. Many organizations are happy with just being compliant. When the focus is only on compliance, the organization's overall security posture suffers by focusing solely on systems. The network pieces are "compliant" but what about the internetworking of these systems?
My problem with most compliance efforts is the fact that the overall network security posture can be totally inadequate, or worse, non-existent. The result of this problem is indefensible networks. Since everyone is talking about the Gorilla, what should we do about it?