(no title)

The big problem is it's all self-attestation. I've worked for one of these vendors, and it was a lot of jackass business people who didn't actually care if anything was secure, they just wanted to "pass" their certification as quickly as possible and cut as many corners as they could. Didn't want to spend money on a contractor who knew how to actually pass these certifications, so instead they'd just lean on the IT dude and demand he complete things he didn't know anything about on impossible timeframes, asking him to do things which they might be legally liable for, and basically trying to avoid doing any actual security work if at all possible. Lowers cost, gets their project going faster which helps them land more contracts and get a promotion.