Pfft. Have you ever had a project EALx/Common Criteria certified? The program is a joke. You can certify a ham sandwich if you document what brand of mayo you use.
We had some experience with it but indirectly. EALx is a bureaucratic joke, but I see FIPS 140-2 more emphasized.
The higher the level of the customer (the more authority they have) the more flexible they are. Some lower level labs don't really have much of a choice but accept a standard boiler plate set of certification stamps.
FIPS 140-2 is very narrowly constrained and the parts that aren't crypto-related are the same kind of boilerplate make-work that EAL2/EAL3 is. But also bear in mind that you can pull a list of EAL4+ products right now, and quickly see how many of them have had ridiculous vulnerabilities.
The higher the level of the customer (the more authority they have) the more flexible they are. Some lower level labs don't really have much of a choice but accept a standard boiler plate set of certification stamps.