Well, they were SUPPOSED to follow the regs. Of course that doesn't mean they did. As you suggest, though compliance and security are not only not the same thing, but they are only very loosely coupled, of it all. In some cases we've had security regulations require the use of insecure methods, such as MD5. I spent 15 years doing security for small companies before I just recently started learning compliance with all of these "security " standards.
PCI is pretty good, though. It's not comprehensive, but it doesn't require insecurity.
There are many influences on these regulations that are intended to offer some illusion of security, but all they seem to do is increase the cost to meet them and decrease the quality of services Federal Agencies are charged with providing to the American public. The Agency I'm in is fully expected to meet these requirements as laid out by HITECH and Meaningful Use. However, the ROI is not remotely worth the effort. Let's spend millions meeting some requirement so we can increase our collections by some very small percentage. Spend millions attempting to meet some requirement that will never be met . . .
Drives me crazy.