Companies are already following a bunch of standards like SOX, SOC2, HIPAA, etc., and documenting their adherence to checking all of the boxes, but incidents still happen every week.

I say this all the time, corporate security is 100% a game. Unless you are a part of the small group of people literally working on exploit dev you are feeding the security delusion as a service apparatus. Also, contrary to how things started (phrack, L0pht, zines, etc.) your average corporate security drone is almost universally a dull-witted, uninspired specimen.