Is it easy to bs your way through a soc2 certificate? Like are the companies in my experience lying or gaming the system, or are the auditors incompetent?
Why would a vendor get a SOC 2? Because their customers demanded it. Why did their customers demand it? Their customers demanded it.
99% of it is a useless make-work assessment demanded by equally incompetent customers' auditors demanding it to justify their own existence.
But forget the report for a moment. The work that goes into answering the questions and providing the evidence requires tidiness and systematic attention at a scale and duration that is unlikely without the SOC 2 (or ISO xxxxx or whatever) audit looming. That imposed journey is very much the reward.
YMMV, but as someone who's wrangled organizations through multiple years and scopes of SOC 2: You may not get a lot out of the final report, but the process is a tremendous forcing function for good practices that most organizations need.
Sure, it may raise the baseline, but only as much as a teacher telling off a bunch of middle school boys before walking away.
At least for our auditor, that means pentest and remediation steps, risk assessment and treatment steps, BCP/DRP and IRP must be updated and each tested, vulnerabilities reported, access audited, etc. Ship-shapeness becomes metronomic and mandatory.
The gating factor isn't the duration or intensity of the auditor's gaze, but how well the local infosec team can use that gaze to bump the organization forward ("make hay while the sun shines"), and whether/how well it can make the process a ratcheting movement forward. If everything and everyone could backslide 100%, I would share your cynicism. That decay is not inevitable IME. Of course, YMMV.