I think security became part of compliance so security recommendations got detached from actual security. It seems like a lot of security recommendations are just busy work that justifies having a huge compliance industry. So an example of this might be security scanners for code where the output is not even useful. But using the tool, which searches for irrelevant findings, is required for compliance even if it basically does nothing for security.