It's pretty counterintuitive from an auditing perspective. If the PCI standards require server racks to be painted red, it's entirely normal for an auditor to ask to see them, and very suspicious for you to say that they're in an encrypted box where nobody can check if they're red or not. I don't mean to excuse it, but I can understand how the error happens.
This is true. Maybe it's someone seeing a requirement like "all passwords must conform to these rules" and deciding that it means they need to check them directly, instead of looking at the systems that enforce that constraint.
