I think it depends on many things.
What is the possible impact on the company for failing this point? Legal, Financial?
Is the point an important metric that you need and compliance is low no matter how many times you've made the point?
In general I'm not a fan of auto-fail, but in cases where GDPR or HIPAA comes into play, it may be a necessity.