An assessment is supposed to go up to the dart board and check to see if you got a bulls eye or how close you got. Having people throw darts and then going up to the board and drawing a bullseye around where the dart lands isn't helpful.

This kind of assessment is worse than useless, its harmful, its like giving people umbrellas and taking them back when it rains. being insecure is not the biggest problem, you can be insecure, know you are insecure and act accordingly. As Brian Snow said, the most dangerous stance is to assume you are secure when in fact you are not secure.

via 1raindrop.typepad.com

This is really an awesome post from Gunnar Peterson. I work with PCI everyday and I can tell you that poor assessments, either the official QSA ones or the internal ones performed by organizations trying to achieve PCI DSS compliance, are the main reason why PCI does not bring as much security as we expect. It's the land of cognitive dissonance where everybody thinks they are doing a great job just because the assessor said so.