The audited firm is responsible for providing the "control" evidence, so if you say you rotated all your creds last year, and didn't use "solarwinds123", then the auditors will believe you. The auditors don't personally check the creds on all your systems, so while SOC2 gets your org thinking about all the right processes, the onus is still on your DevOps/SecOps/BizOps teams to do security right.

Overall, I'd rather being working with a certified vendor than not, but SOC2 ain't PCI.

PCI is as much of a operational joke as SOC2. All of the major credit card breaches have been from companies with PCI cert.