I think that this is a fairly good overview of a few of the security standards out there. They are really there to give organizations a framework to work within when building a security program, and help those companies make sense of, and plan for, security.

The government has other similar standards (SP800-53, FISMA, etc) that govern how government agencies protect their data (I know from experience), and any regulated company is subject to some standard or another.

Standards ARE good, in that they create an ideal – the things you should include in a security program. You are quite correct in that their major drawback is that they also tend to promote a “checkbox” mentality in the organizations that adopt them. The “checkbox” mentality is one in which things are done so that you can mark off the appropriate checkbox, and not because of a desire to improve security. Because of that, it’s often done half-heartedly, or worse – sloppily.

Companies that are regulated (or do business with the government) will do as little as possible to meet their security obligations. The reason for that is simple economics (doing more costs money, and there’s no impetus for them to do more). Until that changes, and there are motivators driving organizations to focus on actually securing their data/network/systems, this is unlikely to change. An organization often must feel the pain of NOT properly managing security in order for them to start managing security properly.

I’m being a little too long winded here, so I’m sorry for that.

Overall – great post!

(I work in Infosec, and have been a systems security officer for a government contractor, so speak from experience)