Its not a high-trust thing, these vendors exist largely because it gives the organizations with direct relations with consumers a step of removal when a breach occurs; they are blame-outsourcing firms.
Sure, but companies also don’t want to deal with building the system themselves (especially if you want to support multiple countries) and dealing with potentially doing something wrong like violating anti-discrimination laws.