SOC2 has been in trouble for a while now. Completely gamified. I was managing an acquisition of a healthtech company and asked if they did an internal risk assessment as part of their audit. Nope.

SOC2 certified, has never actually put to paper "here's what we know we're doing wrong, here is how we plan to remediate it."