Re: Schroedinger's laptop...
I think it's more like a Health & Safety Assessment, or a request for investigation into any similar circumstances.
Are we secure? We don't know until we look.
But looking will collapse it into a state permanently. We will discover, forever, whether we are secure or not. And then have to do something about it if we're not.
And I guarantee the answer is "not" because there's always something that someone will find, no matter how unlikely and unexploitable and necessary it is. Because the second you "look", you've given someone the job of finding something, probably at great expense to yourself and great profit to themselves. And, thus, they will find it. And they will prove that you were "insecure".
I had an audit at my previous job. The recommendations summary (of a 100 page report into IT) was a four page-list, split into two - one for IT, the other for stuff my employer would need to do to support IT. The IT section was actually a bullet-point list in the top row of a table on landscape A4. You couldn't have got a smaller list out of an audit if you'd TRIED to do so, so I consider that "passing with flying colours". The rest was ALL recommendations for my employer.
One of the items on the bullet-list for IT? I needed to "write a policy document on the web-filtering policy" at my workplace. That's seriously how petty it got. Another was "Tackle any existing issues raised". But... that was the point of the audit wasn't it?
But the problem for my employer? The rest of the four-page recommendations **summary** document listed countless things that THEY were doing wrong. Not enough ITstaff, not enough paid hours, not enough holiday time taken from holiday allowances, unrealistic expectations, that IT weren't notified of things and had to play "be a psychic" too often, that all the other staff were not trained enough on IT (seriously: ALL), that they needed to carry out detailed studies into several projects that had never got off the ground (not due to IT but which would have helped immensely), that nobody but IT was taking responsibility for things (and then everyone trying to blame IT when they wouldn't make the decision themselves), etc. etc. etc.
The audit guy and I couldn't stand each other, but he did me two huge favours - the audit recommendations showed me that I wasn't being anywhere near as awful as I was being led to believe, and that six months later, I could walk (with a clear conscience) having completed all my audit recommendations to my employer's satisfaction, but without A SINGLE ONE of theirs having anything done to it. And one of them was "Decide who should be in a user steering group for IT to liaise with". Seriously. Not done. They "Hadn't had time". I walked.
My next employer did query things, obviously. I furnished them with a copy of the report. They made a phone call to my previous boss (who'd also walked). I got the job and never heard another word about it. But I guarantee my previous employer still hasn't done anything recommended on that report.
When you open the box, you'll find a can of worms that you can't put back in there, or hide, or pretend doesn't exist. That's why some people prefer not knowing.