Regulatory Compliance Question

For those IT security pros out there, a question:  has the increase focus on regulatory compliance (SOX, HIPAA, etc.) been an overall positive or negative for you?

I am wondering if your companies/clients are using compliance as a reason to fund projects that they should have been doing all along (e.g., automated user lifecycle management, strong(er) authentication, more effective change management, etc.), or are they focusing on just doing enough to get by (e.g., wrangling tons of reports for the auditors so they can get a signoff, documenting lots of manual processes, etc.)

I really appreciate your feedback on this topic...