PCI is far from good requirements. Some of their controls make sense, some made sense for corps in the 90s and some are completely opposite to what you should do. It's good that they at least force the company to think of the requirements and dedicate some time to it. But I really wouldn't put PCI DSS as a good example, or an "almost always safe" example.
