CDC is A way to go, not necessarily the way to go.

It has some limitations. And, as far as having zero impact, that's partially correct. It doesn't extend the duration of row-locks, but it does require CPU cycles and I/O bandwidth. So it's not really "zero impact", but the impact is often lower than comparable triggers.

As already mentioned, it has limits on being able to do things like capture the user ID, application, connection string, SPID, etc. If all you need is an audit trail of data changes, then CDC can be excellent for this.

CDC also has some limitations with regards to replication, recovery models, and disallows things like truncates on logged tables (note that triggers can't capture truncates either). It also requires that SQL Agent be running (to enable scheduled log-scans). Triggers don't have most of those limitations. (They have other limitations, of course.)

CDC also won't automatically add new columns to a log, while it's relatively easy to set up a DDL trigger to modify a logging trigger. Not an issue if you don't add columns often enough for that to matter, but it can catch people by surprise.

So, which one is better really depends on the purpose of the audit log, and the requirements of the database being audited. If you need Simple Recovery, for whatever reason, then CDC won't do it, but triggers will. If you need zero-impact on locking, then CDC can do that but triggers can't. And so on.

Define the purpose of the audit trail, and you'll get a lot closer to defining which one is better for your needs.