It means delaying or coming up with excuses for why you can't have security concerns remediated within the agreed upon time frame. Regardless of the technical challenges involved.

Audit remediations are not the kind of projects where delays are acceptable. You absolutely must drop everything else you've got going on in those situations if you even remotely get a hint that the project might be behind.

The reason here is that your boss and your bosses' boss can't save you. If bad audit results come back you can bet the C suite had an emergency meeting discussing how to explain them to the board and the timeframe for getting them fixed. And you can bet they made some sort of commitment.

There are hundreds of millions to billions of dollars on the line in insurance premiums and future legal process in some cases. Oftentimes cyber insurance will mandate some kind of timeframe for remediation upon notification of a security issue. So you'll get hit with penalties well before the next audit if you delay. You don't want to be the programmer(s) that missed a deadline there.