I used to work in a place where we constantly got looked at by security companies and consultants. The wisdom of that time? Companies don’t hire security firms and consultants to find nothing, so no matter how asinine or impractical it is, they’ll still file it because an empty report is bad for business.
Our security handling was pretty strict, and we had to constantly talk customers off the ledge and kindly inform them that their consultant was blowing crazy swamp gas up their asses. My favorite was a firm that listed all Easter eggs as a vulnerability. An open source package could raise the list of developers with a secret key combo, and so the customer saw this on their report and raised a stink. The customer had no idea what this all meant, but their consultant had scared the crap out of them, so we had to layer on a patch to disable the stupid thing.
