Honus is on the auditors to know what works and what doesn't. Auditors tell you "these are the things you must do to be compliant". Then the oilmen have to sell to people who lose money if they're wrong.
Ticking boxes helps with security, but it tends to be easy to tick the box and yet mitigate much of the actual benefits. When this is cheaper, some companies will chose it, and snake-oil-salesmen will help them do that.
You need some kind of incentive that derives directly from the end goal (less breaches), rather than some derivative (better standards compliance). Auditors certainly have their place, but we need more than them.
edit:
Also, you probably meant 'onus' rather than 'honus'.
