I did say that I am writing a longer blog post on that ("Scary Tales from 'Compliance First' World"), but I just can't resist.
Yes!, Yes!!, Yes!!! - everybody smart and security-savvy KNOWS: focus on security, risk management first AND whatever compliance du jour will come. "Security first" mantra works, it just works.
But you know what? I am constantly SHOCKED since I notice a volume of people who INSIST on "compliance first" AND in silo'ed, regulation by regulation way. OMFG!