[raesene9]

Conceptually, I don't think CSPMs are answering complicated questions, however there's quite a lot of complexity (IMO) in scaling the answers consistently, and keeping up to date with all of the tests that need to be implemented.

If you think about the number of services that AWS/GCP/Azure have, adding good compliance checks across even a portion of those is quite a lot of work :)

A small example from an area I know something about is maintaining the CIS Kubernetes benchmarks (which are used by a lot of CSPM products as a source of rules).

Here you've got the different Kubernetes distributions and then each of the cloud distributions has its own CIS benchmark as the checks are different depending on the cloud in use. Then you have changes over time as different clusters run different versions of Kubernetes, so have different checks. Then you add in that the benchmarks don't release with every new version of Kubernetes, and you can end up with quite a complex matrix of checks.