This.

If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.

Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.

Price it just below what would be the fine for not complying, that way you maximize the invoice.

I stopped playing the security vendor reseller game because it got too boring this way to make money.