If you go back through my posts on Google+ or LinkedIn even, it's quite clear that after working in the network security arena for close to a decade that is it beyond pathetic how long this has been going on. I guarantee you, ask any veteran penetration tester that's logged over 50 engagements with clients, and some of them if truth be told, were honest enough to divulge how many rules are "bent" by their Project Manager or Director in order to get deliverables out the door with weak mitigation rationales based upon a porous perimeter design, you would be quite surprised. It would blow your minds the stories they could tell. This is across all information security standards HIPPA, DIACAP and PCI-DSS.
Now, that being said. I have to hope and pray that there are some very top notch security practices and leaders that run them, that I know never would compromise their professional integrity, or get caught up in the "snake oil" and "climate of fear", based marketing and business tactics, but unfortunately many do.
There is nothing left to say anymore about this.
This is a well written article, detailing the relationship to the Neiman Marcus and Target compromises.
I think in the end you will see that there is much crow pie to go around, but in the end if you follow the money it always lies at the level of the senior leadership of mediocre, integrity devoid Security Practice managers and their respective clients that just want the certification without any mitigation or cost overhead. End of story.