The compliance costs aren't what worry me. The part that worries me is ending up with FIPS but even worse everywhere. Just because of how slowly it evolves and how people are stuck on old things because of that.
I cant argue. I dont love all of the things we are required to do. I'm sure my current VPN is better than what I'll have to implement. The things I'm required to implement are major attack targets with histories of vulnerabilities - but they are certified.