Biggest issue I have with the controls is that they are so damn ambiguous. I mean, you can potentially satisfy a control in one way yet get dinged in an audit if the QSA doesn't agree with your interpretation of the control - even if how you satisfy the control exceeds the requirement. Reminds me of a certain certification as well (*cough*CISSP*cough*). Oh and as an aside, I loved your post on Packet Pushers (re: throwing down the gauntlet). Many very true statements in there I do believe.