About a decade ago (give or take a year) our small web company had a PCI test against our network and a 500-page PDF ended up in my email. The “report” was obviously the vomit of a program detailing every issue for every site . You would think that after the 50th time our DNS resolvers were “open to the public” (as it were) that the stupid program vomiting the report would realize it’s reported the same DNS resolvers each time.
 It didn’t help my perception of the report when it screamed that “ICMP echo was enabled and nefarious scalawags might be able to do unspeakable acts against our computers, best cut the network cable” type of advice  (yes, I know port 443 is open! WE’RE A WEB HOSTING COMPANY SERVING UP COMMERCIAL WEBSITES! ARE YOU PCI AUDITORS STUPID?)
 Okay, the ICMP echo thing was reported, but did not need to be disabled to pass the audit. If so, why even bring it up?