The number of FISMA-HIGH, ATO’d/RMF’d, security audited government systems I’ve seen with equivalent security issues is…substantially nonzero.

I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless.

Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams I’ve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.