Or maybe snake oil is the wrong term. I don’t know if there’s a term for someone who warns others and they never listen, because it seems no matter how much you break into buildings and expose the flaws, hack a bank’s transaction, or infiltrate a database, the company will thank you, pay you a few hundred thousand dollars, then do nothing to change.
Essentially it just seems like I’m helping big companies bypass regulations by rubber stamping their pinky promises to change. I guess internal security auditing might be a little better, but I don’t know
The nature of cyber security and vulnerabilities is banked on things being overlooked. Bug bounties are honestly a great idea because A) hackers will do this regardless, A-2) if there isn't a good legal outlet, the vulns can do a lot of damage. and B) might as well pay the hackers for their time so they don't sell to a higher paying buyer.
The industry as a whole is more complicated. I wouldn't call red-teamers selling snake oil, I'd say a majority are incredibly skilled, the shitty part is when execs pay for the audit but not the remediation.
Regulating secure software honestly sounds like a nightmare and a fools errand. Not in a "regulation is bad mkay" sorta way, but the people writing the regulations almost never know the systems.
Properly punishing companies for allowing data breaches with a paper trail of being warned, is probably a better way forward.