This is exactly why (good) defenders work by threat modeling using different perspectives and representations: one of them being attack graphs. But yes, a lot of the mandated compliance and governance stuff is just checking lists, which is why it does not work.
compliance requirements are the table stakes you should do you in your sleep so that you spend most of your time decomposing risks (attack graphs or not). It's a mistake to dismiss compliance (or CIS in another posters comment) as useless, they are basic - and the fact that so many cant deliver the basics is a huge issue.
