I seem to recall (from my point of view) the level of effort was based on how many transactions you dealt with. That way small companies would not be killed by the overhead of dealing with it,
Also, I remember our Unix admin getting really pissed when we would not allow him to explain to the auditors that a particular sysem was Linux, did not have inbound email, did not present any shares using ANY protocol, was accessed strictly via secure shell from me and him, and had it's own very restrictive firewall settings and DID NOT NEED WINDOWS VIRUS SCANNING!
After meeting with the auditors once, we realized it was far easier to setup bullshit technical "fixes" that we could then check-off the list. The admin was ready to kill me. He was a talker, and was furious that we'd require him to setup and maintain software (including ongoing signature updates).
And then the flip side was worse. These auditors did not like the way something was done under Windows. My Windows admin pulls out the MS book, highlights the phrase "best practicies", and they then corrected their check-off lists to included whatever our admin told them.
Idiots.