> The whole industry is a fucking racket.

That seems plausible, but can you flesh out the argument?

Not OP, but from my experience with SOC2 the auditing and compliance can be a complete joke. There are auditors who're entirely satisfied so long as an engineer dismisses all the dependabot alerts in Github (even if they're all dismissed with the "don't have bandwidth to fix this" option).

> SOC2 is a weak positive indicator of security maturity [quoted from TFA]

I'd argure it's no indicator at all.

It’s an indicator that you paid your protection money to the industry audit mafia. Racket, like I said.