A lot of that comes down to the costs associated with not being compliant and/or the requirements of existing contracts/insurance policies, where having dedicated FTEs to compliance is a requirement. Compliance might not be hard for the person/people managing the program, however it might seem difficult or complex to the FTEs that have to build to those standards if they do not have a security or governance background.

I assume they mean "getting a SOC2 report", which is the part that Delve attempts to automate. The maintenance of controls, adoption of new policy as the company evolves, etc, is what someone will do in the full time role and that Delve et al would do nothing to assist with.

Maybe they meant "Not hard != quickly done". I don't think many people think bureaucracy is especially difficult. It's just time consuming.

But frankly if they meant that, the statement doesn't really say anything at all. Because what in this world is hard if you stop taking shortcuts and spend time doing it correctly?