Yeah it seems like the current version of InfoSec is closely tied with compliance and audits. Meaning they don't really care about getting hacked as long as we filled out the right form, and checked the right check boxes and the lawyers are happy. I also agree that these days, the average InfoSec Engineer is less technical than the average Software Engineer and it shows. The security tooling is just terrible relative to other areas.