This really resonated with me because I'm also working to avoid becoming more cynical as I gain experience and perspective on what problems "matter" and what solutions can gain traction.

I think in this case the cognitive dissonance comes from security-minded software engineers (especially the vocal ones that would chime in on such a topic) misunderstanding how rare their expertise is as well as the raw scope of risks that large corporations are exposed to and what mitigations are sensible. If you are an expert it's easy to point at security compliance implementation at almost any company and poke all kinds of holes in specific details, but that's useless if you can't handle the larger problem of cybersecurity management and the fallout from a mistake.

And if you zoom out you realize the scope of risk introduced by the internet, smart phones and everything doing everything online all the time is unfathomably huge. It's not something that an engineering mentality of understanding intricate details and mechanics can really get ones head around. From this perspective, liability and insurance is a very rational way to handle it.

As far as the checklists go, if you are an expert you can peel back the layers and realize the rationales for these things and adjust accordingly. If you have competent and reasonable management and decision makers then things tend to go smoothly, and ultimately auditors are paid by the company, so there is typically a path to doing the right thing. If you don't have competent and reasonable management then you're probably fucked in unnumerable ways, such that security theater is the least of your worries.