The ideal flow here is:
reply1. Do good security and operations.
2. Overlap the minimum subset of your existing good security and operations as evidence for whatever compliance regimes help you get paid.
3. Get paid.
Nobody is suggesting that you bullshit the auditors. They’re suggesting not letting the auditors accidentally trick you into letting step 2 get in front of step 1.