In reality, the auditor typically has minimal technical competency, and is running a canned set of tools that throw out so many false positives that the reports are practically worthless -- or if followed to the letter would make a system fail to even perform it's function. Or in some cases even boot. They even may not have the a canned set of tools for the right OS in the first place, making the reports even more useless.

Universally true? No. But it's been true in my experience dealing with PCI auditors with one of the major credit card processors. The processors are interested in demonstrating compliance, which may or may not have anything to do with real world security or actual deep inspection of the security of the systems.

And yes, nobody, including the credit card processors, wants to take the blame or the responsibility. IT is overhead to them, which cuts into the bottom line -- therefore there's little to no interest in hiring people qualified (and with sufficient authority) to properly protect the systems in question. Not to mention the infrastructure investment to go with it.

PCI compliance tends to leave a false sense of security to organizations that don't understand IT in the first place.

The 360? Oh you mean that white thing that sits on my shelf with the nice blinky red rings when you attempt to power it on. So ... unless it is capable of resurrecting RROD Xboxes it's not going to integrate all that well...

Contemplate the state of your Windows box 17 years ago.

Can't do that personally, since I was running slackware Linux right about that time ... :-) (I think the beta was around before 1993, but close enough for slashdot posts.)

Nah, Obama is going to get rid of that pesky Constitution thing for them.