This article highlights a lot of problems that exist in the infosec field today. There is a great quote in there:
“Most IT Security organizations are busy checking some boxes on an audit list, and effectively missing the forest for the trees when it comes to actual security.”
I would sign under every word. That’s also the jist of the argument of people who are vehemently against PCI, though I wouldn’t necessarily include myself in that camp.