Sure but the point still stands. Why should anyone trust that you, or your company, is any good at security compared to say CIS?

If you have homegrown security and can show your QSA your detailed policy document and that it's a superset of CIS, STIG, NIST, etc. with documented exceptions then it'll be no problem.

I avoid homegrown whenever possible because it's a rabbit hole that never ends. If you instead say CIS level 2 then you can clearly define when you've done enough.

Because, checked boxes don’t mean much. CIS level 2 = a lot of checked boxes. Using cyber security frameworks is great, but some of the most compliant and “advanced” organizations have the worst legacy cruft you can imagine. We work with orgs all the time and organizations that use these frameworks with expert guidance can easily secure their most critical assets while only implementing the right parts of a framework. And the best frameworks have risk based targeting for maturity levels (NIST Cybersecurity) of various activities. These frameworks can end up being a bit of security theatre if you are just implementing it for the sake of “having security”. Guess I am just jaded after breaking software and networks for over a decade. Some of the most secure organizations have very adaptive security practices that focus on application security. Some of the worst are ISO, CIS, STIG policy template hardened blah blah blah. Just don’t put these frameworks and policies on a pedastal. The real security work happens in the margins.