Anton Chuvakin wrote a very good piece about PCI and how regulations like that are usually written and interpreted. He is completely right on defining the problem as:

1. Mandate the tools (e.g. "must use a firewall") - and risk "checklist mentality", resulting in BOTH insecurity and "false sense" of security.

2. Mandate the results (e.g. "must be secure") -  and risk people saying "eh, but I dunno how" - and then not acting at all, again leading to insecurity.

About those options, he says:

"Take your poison now?! Isn't compliance fun? What is the practical
solution to this? I personally would take the pill #1 over pill #2 (and
that is why I like PCI that much), but with some pause to think, for sure."

Actually, I believe it may be possible to reach an intermediate alternative. By defining the rules and standards for Risk assessment and management we could set the standards on defining acceptable risk levels instead of saying "must be secure", and without the need to go as deep as "must use a firewall". Of course that this approach would cause several questions about how to achieve compliance, but it would give more freedom to organizations about how to approach the risks and avoid "checklist mentality".

The problem with risk management based compliance is that the organization can manipulate its risk assessments and downplay stuff that should be identified as "high risks". If the risk equation, impact and probability levels are standardized, however, it would be easy to compare apples to apples and say things like "risks above level X must be mitigated until level Y".

Even by taking that approach we would still have to deal with the control efficiency problem. Like the firewall that Anton mentioned, there are several controls (probably most of them) that the way that they were implemented and how they are managed are even more important than the control itself. Maybe the best way to solve that is defining appropriate ways to deploy and maintain each proposed control. Ok, we could go into a very deep (and inefficient) level of details by doing that. Seems to be a catch 22 situation. Personally, I don't know who is worse to point where the bar should be placed: auditors or standard writers. I don't trust both :-)