I once worked at a small pen-testing firm that also conducted PCI DSS compliance tests, and I can confirm that this is an accurate depiction of the industry. A majority of the staff were recent grads, and it was disheartening to see that most clients were primarily interested in obtaining the compliance certification rather than genuinely improving their product security. This, in turn, creates a perverse incentive for auditors to grant compliance, as clients who don't get the desired outcome may simply switch to a different auditor. In such a setup, it's difficult to ensure that security standards are genuinely upheld. On a positive note, these compliance tests do help in making sure that card data isn't stored in plaintext, but beyond that, the overall impact on security seems rather limited.
Not financial sector, but in my own experience working in tech consulting partnering with large management consulting firms in the past, security was the last thing to get checked and the first thing to be neglected.
Sure there were some "bare minimum" things that was expected to be upheld like passwords not being in plain text, but come time for a security audit it was exactly as you say. Not done out of genuine interest in security but as a rubber stamp of items to be able to show the client "look we did this"
Not even joking when I say that the development plan for most of these projects basically just tacked on a few days in the last week for "security improvements" alongside things like "tech debt" rather than it being a top of mind thing for the entire development process.
