Long time ago I was working for a web hoster, and had to help customers operating web shops to pass audits required for credit card processing.
Doing so regularly involved allowing additonal ciphers for SSL we deemed insecure, and undoing other configurations for hardening the system. Arguing about it is pointless - either you make your system more insecure, or you don't pass the audit. Typically we ended up configuring it in a way that we can easily toggle those two states, and reverted it back to a secure configuration once the customer got their certificate, and flipped it back to insecure when it was time to reapply for the certification.
This tracks for me. PA-DSS was a pain with ssl and early tls... our auditor was telling us to disable just about everything (and he was right) and the gateways took forever to move to anything that wasn't outdated.
Then our dealerships would just disable the configuration anyway.
The dreaded exposed loopback interface... I'm an (internal) auditor, and I see huge variations in competence. Not sure what to do about it, since most technical people don't want to be in an auditor role.
Many moons ago, I failed a "security audit" because `/sbin/iptables --append INPUT --in-interface lo --jump ACCEPT`
"This leaves the interface completely unfiltered"
Since then, I've not trusted any security expert until I've personally witnessed their competence.