Enterprise security is cargo cult to the max. You can run 10 different dependency scanners, static analysers, AI analysers, it doesn’t prove shit. You can be SOC1, SOC2, SOC1337, whatever and still have the most moronic bugs. The same ones looked over by the pen test firms running some basic ass open source tooling and bike shedding over shit that makes no difference.

The same companies won’t run a security bounty program because they think it’s a waste of money.

Security people just don’t get it, they don’t think like the bad guys.