While looking for information on system auditing I stumbled on this quote from the Debian Administrator’s Handbook.
14.3.3. Detecting ChangesOnce the system is installed and configured, and barring security upgrades, there’s usually no reason for most of the files and directories to evolve, data excepted. It is therefore interesting to make sure that files actually do not change: any unexpected change would therefore be worth investigating.
It perfectly captures my view on the subject. For me this is the point where CM and security overlap and begin to be the same problem.