Most of this comes about because the talent pool for cyber is so small. Cyber Auditors, should understand what the risk is, and what controls should be in place, and how they operate.

Most don't because they lack the appropriate technical skills. Therefore we fall back on checklists, as less skilled people can do a compliance check to it.

In large organisations this can also happen between cyber and engineering teams, where the teams don't understand security and are just focussed on releasing features, and so cyber enforces checklists or non-negotiables or compliance assessments.

All of this comes down to skills and awareness. Not enough people have the skills/knowledge to cover all the roles out there.