> many early customers care more about transparency and good security hygiene than the certificate

I work on audit compliance for a SOC2 compliant system, and as part of our own audit requirements it is non-negotiable that all of our vendors must themselves be SOC2 compliant.

I very much doubt anyone who has a SOC2 requirement is not in the same boat with respect to dependencies