The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" .
Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up".
On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed.
It tells you that a place being certified doesn't guarantee shit.
The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant"
The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse.