Audit results are taken very seriously by companies operating in heavily regulated industries that intend to stay in business, so healthcare, finance, insurance etc.
If you are a team lead doing programming for one of these sorts of companies and the auditors come round with some findings, I promise you that you need to take it deadly seriously. I've seen engineers fired for cause by the board of directors of a fortune 500 for failing to do so. Word gets around and nobody will touch them after that. Its literally career ending to poo poo audits.
Tech companies are the odd man out when it comes to audits, which is why its possible for so many in a thread like this to have opinions that are so wildly inconsistent with reality. Who knows how much longer that will last, particularly with advances in AI.
It means delaying or coming up with excuses for why you can't have security concerns remediated within the agreed upon time frame. Regardless of the technical challenges involved.
Audit remediations are not the kind of projects where delays are acceptable. You absolutely must drop everything else you've got going on in those situations if you even remotely get a hint that the project might be behind.
The reason here is that your boss and your bosses' boss can't save you. If bad audit results come back you can bet the C suite had an emergency meeting discussing how to explain them to the board and the timeframe for getting them fixed. And you can bet they made some sort of commitment.
There are hundreds of millions to billions of dollars on the line in insurance premiums and future legal process in some cases. Oftentimes cyber insurance will mandate some kind of timeframe for remediation upon notification of a security issue. So you'll get hit with penalties well before the next audit if you delay. You don't want to be the programmer(s) that missed a deadline there.
I also went to some very good schools and did not live in a rich area. It was a good area sure, you weren't going to hear gunshots on your walk to school, but it was not the "rich people" area. The rich people area actually had worse schools academically speaking. This makes sense when you think about it. We tended to have a lot of students whose parents were highly educated immigrants, whereas the rich part of town generally tended to be old money and not as focused on being hyper competitive academically.
There is not single answer to your question. In general, they are okay if averaged out. US schools get a bad rap compared to other rich countries mostly due to some very tragic situations that make it impossible for some schools to do their jobs. For instance, there is a not insignificant portion of the student population in some places that do not speak English as a first language and sometimes at all. This is not necessarily the worst problem with our schools, I chose it simply as an illustration of something that can lead to low performing schools even if the school and staff are otherwise doing their jobs exceptionally well.
On the other hand, the US also has some of the best public schools in the world. In a lot of cases, public schools beat out very expensive private schools in metrics like average AP score, average number of AP tests taken, average SAT, percentage of students at or above grade level, etc. At this high end, the US school system outperforms peer countries significantly. Its often the case that these high performing schools are relatively accessible for non wealthy people as well. You just need to rent an apartment nearby. You don't need to buy a property in Martha's vineyard. If these types of schools didn't exist, and the US public school system was as bad overall as it appears in the media, I suspect we would not have as many ambitious and highly educated immigrants wanting to live here.
If you are a team lead doing programming for one of these sorts of companies and the auditors come round with some findings, I promise you that you need to take it deadly seriously. I've seen engineers fired for cause by the board of directors of a fortune 500 for failing to do so. Word gets around and nobody will touch them after that. Its literally career ending to poo poo audits.
Tech companies are the odd man out when it comes to audits, which is why its possible for so many in a thread like this to have opinions that are so wildly inconsistent with reality. Who knows how much longer that will last, particularly with advances in AI.