You can do either, and should probably be doing both. You should edit rules to reflect the actual standards that exist in your environment. You should then create exceptions for settings and systems that you know are out of compliance, but for which you have a good reason for allowing them to be out of compliance. Exceptions document the OOC state and allow you to provide reasons, sponsors, and deadlines for these non-compliant conditions.
An example is a standard where no account is ever allowed to have "Password Never Expires" set to true. This might be used in conjunction with other rules to ensure password expiration is every three months, for example. However, you may have some service accounts that you don't want to be getting disabled every three months, so you set these to never expire and they come up as non-compliant. Then you create one or more Exceptions to override the non-compliant status for these known accounts; and maybe you also make those exceptions expire once a year to allow for a review of the accounts granted the exception.