Average Joe and businesses alike will assume that a tool telling them their site is secure means that they don't have to worry much about it. A tool that can easily be made to report "100% secure" is then quite harmful.
Even large corporations rely largely on buying reports, and in turn buying products to fix the results of those reports as their primary security strategy.
> Also, large corps get SOC2, yet they are still not secure.
SOC2/ISO27001 audits are just "are you living up to the processes you defined yourself for SOC2 compliance", not "are you secure". It is dealt with by whatever Compliance unit the company has and only serves to avoid legal issues, and has nothing to do with whoever runs IT security.
Security audits is usually quite laughable, and work tends to be initiated by security vendors who happen to have a scan that gives some "very bad" result which they just so happen to have a silver bullet product to fix. Then the company uses that scan until the next company comes along...
Few companies take security seriously, designing things for security rather than just buying whatever bandaids they see in the store.
Even large corporations rely largely on buying reports, and in turn buying products to fix the results of those reports as their primary security strategy.