You are confused. They are not "security" roles, they are compliance roles. That's all most enterprise customers really care about. They satisfied all of the compliance rules, and are following "best practices" (influenced by MS), anything that happens is not their fault.

And having more busywork to do is actually a good thing. Having people employed to do said busywork shows how serious they are about "security", without requiring any skills that are difficult to hire