It can be both. There are going to be companies that are serious about actually protecting their customers (but don't have the technical know-how to be an informed customer), and there are companies that see these laws/rules (PCI, HIPPA) as hindrances to cast aside with the least possible effort.

On some level, the fact that compliance regulations exist is an indication that security is not a priority for many of the entities that it applies to.

Certainly snake-oil is a problem, but I think this particular area is one where buyers are most concerned about being able to effectively claim that they made what seemed like reasonable efforts.