Yeah, it seems like the general case is: in a perfect world, compliance doesn't make you more secure because you already are. But, in reality, compliance CAN make you more secure because you can't get budget/resources to be secure in the first place.
Busy work yes, but not without actual value if you make a decent effort. There's always the checkbox compliance people who just want auditors to go away (well, we all want that, but you know what I mean).
From the vendor side, we saw people in the same industries you'd expect to have data to protect invest in monitoring tools BEFORE compliance was a big thing (banks, hospitals, legal, government, etc), but compliance definitely gave security monitoring a lot of momentum. The difference in retail companies' investment due (thanks?) to PCI is pretty significant, I think that's the big one that also gets a lot of shame.