Many large orgs, even if individual companies are doing "fine" (not gonna say perfect, but also generally competent) have a parent organization that manages all this audit and policy stuff. In my experience the parent org is nearly impossible to change from the direction of bottom-up. I can get someone to forward an inquiry to them but it takes forever and from their side it's going to look like "hey boss, so, 4 of the 5 subsidiary companies passed the security audit already 2 months ago and the 1 that didn't pass is trying to tell us to modify the policy" to which they'd say "how did nobody else mention this? sounds like they are being difficult. Can we just hurry them along? The audit is already overdue and we need all companies passing for this quarter" and the response you'll get back is essentially "deal with it"