Absolutely. And it is strictly security theater. We're delusional to think that checking the boxes on these arbitrary lists is making us "more secure." It's very frustrating to have a role in this game and find yourself completely unable to combat the bureaucracy.

This is so true. And big corporations push around smaller vendors to have so many compliances, insurance and other certifications in place, whereas larger vendors can get away with insane security and privacy lapses just because of legacy. Makes me mad.