It's always been one.

Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".