I completely agree with the outlook, but from a practical standpoint (in the last couple of years) I have seen the opposite. The SOC2 process is often transformative ("should" vs "is" are not the same thing).

Especially smaller startups, who grew somewhat quickly, and now "want to get SOC2 because customers want it". In practice this also (often, unfortunately) means "not all employees should have AWS admin creds, we should have some separation between environments, and we should know who has access to what".

For these companies SOC2 "requirements" can be the business-value line item that can get proper security and access-control patterns in place.