Is the statement 'Creating ACLs is the most time-consuming part of firewall management' true?

In firewall management, the ongoing workload tends to be dominated by policy maintenance, monitoring, and audits rather than by writing ACLs. Creating access control lists is an important setup task, but once the rules are in place, most of the time goes to monitoring traffic and alerts, triaging incidents, updating policies as business needs change, and going through change-control processes to safely apply modifications. Regularly reviewing and pruning rules to prevent creep, testing changes in a staging environment, and documenting configurations also consume a lot of effort, especially in larger environments. While initial ACL creation can be time-consuming in a new deployment, it’s the recurring operational work that generally takes more time over the lifecycle, so the statement is not generally true.