To add, if you every want to get ISO/PCIDSS etc certification done then good luck implementing gazillion check list items which Azure/AWS/GCP have already taken care of.
Which is bullshit, because the auditors ALWAYS miss stuff, even things I would think are painfully obvious. It’s a cottage industry that allows the C-Suite to assure investors that they have taken all necessary precautions, so when they get hacked they can point and say “we were certified!”
I completely agree with you that they are mostly used as CYA. However, I'm speaking from practical standpoint where if you have to work in certain industries (banking, health, finance etc.,) the first thing you are asked is if you have XYZ certification.