In today’s industry, being in compliance doesn’t make a company secured. Being in compliance means a company met the minimum requirement or have workarounds for some of the risks they can’t mitigate.
Asking if a company is in compliance is like asking a student if they have done enough work to get a C grade. The compliance industry should have a grading system that shows how well a company performed during an audit. Highest score being the company went above and beyond the minimum requirement and lowest means they are meeting minimum requirement for the compliance audit. I believe this will drive the information security industry to better protect consumers and companies alike.