Comment by giantg2

I think the main issue is in perceptions of what the service is.

Maybe some think this person should be some industry expert, computer whiz, hacking genius who will guarantee an impenetrable system.

In reality it is as you describe - checklists of questions and procedures by someone who knows the basic concepts with managers who don't know the technical details. Nothing will guarantee an impenetrable system, so corporate is happy just to check the box that a review was done. They just want to make sure they aren't leaving the front door open so the insurance they buy will pay out.

I'm an application security champion who works on our teams systems to ensure they meet the company security standards. I have worked closely with some external consultants on a few reviews of systems.