This is the biggest flaw in compliance – that a network that has been audited as meeting its legal obligations is seen as somehow acceptably secure. No network ever will be secure in this sense. Procedures can be laid down in black and white but they will never be followed correctly at all times. Mistakes will be made and unforeseen threats will emerge.
Regulations, by their nature, are static, while IT security is dynamic, reacting to new threats, anticipating future attacks, working to shore up previous weaknesses and new vulnerabilities. HIPAA tried to address this dichotomy by making the regulations non-technology specific, and to some extent it worked. But there is still that dynamic tension between the 97 pound weakling of your IT budget and the bully who is kicking regulatory sand in his face.