Doesn't offer much utility IMO as most distributions come with secure defaults ootb these days. Unfortunately it's checklist is not thorough enough to keep you ahead of the security curve.
Lynis author here. While some defaults definitely became better, often due to the kernel itself being better protected, there is still a lot of room for improvement. The distribution often can't make things too strict, to prevent common issues. Keep also in mind that it is not just the OS itself, but especially the parts that get added over time (users, software, configuration file changes) that introduce the biggest flaws. The aim of Lynis is to do a regular health check, giving the sysadmin the chance to tighten things where needed or correct those things that got out of spec.
We are looking for something to run as part of our ami/docker testing and as you say, stays fresh on standards (whatever soc2/iso, but ideally also FIPS) , any prefs?
I use it for regular scanning, flagging potential issues, automatically making changes, aligning images to CIS Level 2, and for ongoing scanning to satisfy SOC2 auditors.