So, I've been meaning to write a longer post on this, but time crunch barged in, so I will just drop a formula here.
First, checkbox compliance is OK: compliance is inherently "checkboxy" - as in 'here is a list - now bring your environment in agreement with it'
Second, in some sad places, compliance = security (despite all the discussions to the contrary)
Third, a result is checkbox security which is an ugly, sad, wasteful, multi-headed critter which shows up in many places at once (e.g. 'see here, it said 'IDS' - Ooook, ours is unpacked, racked and connected - CHECK!' or even 'SOX? We did SOX by doing all this documentation here. So now we are safe, right?' or 'Pay for my PCI audit and I will make you [look] secure')