Comment by matt_s

Its not the age of the person, its the experience level. The PCI internal compliance people (who were consultants) had never configured a server, never did sysadmin job of any kind, maybe they programmed something in college for a project 25+ years ago. All of the InfoSec audit/compliance people that I ran into gained their knowledge from books, not from experience. So when you challenged a "requirement" with an alternative or why in that system it didn't apply they had nothing to go on because they didn't understand the technology or how it worked.

Anyone with experience doing sys admin work will be doing that - or if they are in the infosec space they are probably doing pen testing, etc. using their skills and not consulting/compliance work.

Competence isn't the priority, the rationale for management to hire consultants is it moves the responsibility elsewhere to a firm that is blame-able and fire-able.