Vendors set deadlines, analysts warn of falling behind, and the rhetoric is relentless – much of it built on a misconception about what security and compliance actually require.