Unfortunately 99 times out of 100 these are just dog and pony shows meant to look like you're doing something when you're just sighing heavily *along with the auditors* and patting C-levels on the head, assuring them everything's sugar and rainbows.
Security (as desired by C-levels and consumers) is a fantasy. It's not possible. Attack surfaces are WAY too large, best practices are a black art that works *some* of the time, a little, but not really.
The reality is it only takes one hole to sink a ship, defenders have to be perfect to protect their companies, and they lack control of the very things that they need to (such as source code for third party products) that even if they did have they couldn't understand or fix.
Security is simply an NP-C problem, basically insoluable. It's time to admit that and get genuine solutions instead of the current feel-good non-solution hoops idiots make us jump through now.
What genuine solutions? Ah, now *that* is the right question...