I came across this gem in sc-100 prep material:

While compliance provides a consistent required baseline of security best practices and controls, compliance with security standards is insufficient to make an organization "secure". Keeping an organization secure can change dynamically by the week, day, or hour as adversaries learn to exploit different parts of the organization's complex attack surface. This attack surface spans countless thousands of implementation details across an incredibly complex technical estate of IT, OT (operational technology), and IoT (Internet of Things) systems and employees, contractors, partners, vendors, customers, and more. Being compliant with security regulations is important, but it is not enough to be secure.
...
...
While compliance frameworks are an excellent way to communicate and enforce a minimum security baseline, they can't keep up with adversaries that change tactics daily to make their attacks successful.

(Source: Microsoft Cybersecurity Architect Exam Ref SC-100)