This is also my experience with risk audits in IT: you get asked a lot of stupid questions and spend a lot of time engaging in extreme hypotheticals, but in the end there are always one or two “hmmm I hadn’t thought of that” moments which lead you to significantly increase your security.
