Remember the old security monoculture paper by Dan Geer? It concluded that "corporations and governments should diversify their computing environments to better ensure survivability in the event of widespread failures in common operating systems and applications."
This fun blog post contrasts such security requirements with compliance requirements (specifically, PCI DSS). It turns out that "there is a direct correlation between platform and application diversity and the cost and effort associated with achieving and maintaining compliance with the PCI Data Security Standard [as well as other regulations]. "
So, it boils down to who is scarier: a worm or an auditor? :-) A tough one indeed!