That's the same pessimistic perspective. When SOC2 requires that commits be tied to reviews to show that work was visible and approved by management, and not just some cowboy engineer putting who-knows-what into production, but the control is implemented with a simple Jira issue regex so every developer just puts in place ABC-123 or ABC-999 on every commit, and anyway developers are free to open and close Jira issues without management noticing or approving, then the only people guilty of willful negligence are the so-called security engineers for putting in such weak controls and the auditors for approving them regardless, not to mention the security engineering's leadership's outright fraud for essentially lying about effective controls being in place when actually everybody internally considers it a massive joke.

The flip side of the joke being, of course, that everyone internally naturally prefers weaker controls (that help them ship faster compared) to stronger controls. So there's a wink and a nod and a smile and everyone moves on while institutionalized corruption is accepted. Nevermind that strong controls over commit messages can also help build automated documentation, notifications, and clear integrations like being able to link a production outage to the Git commit that triggered it, including full business context and knowledge of who to contact.

Note that there are two kinds of perspectives to build this kind of control - the glass-half-full perspective that builds Git -> Slack integrations to let people get notified quickly that a review was requested, including signals that this is a hotfix/simple/not-controversial/rubber-stamp to help get simple stuff approved quickly and deployed quickly, along with collaboration with auditors to get them the reports and commit samples they need. The glass-half-empty perspective is to say, well the auditors already have a built-in integration with Jira, so let's throw it in to Jira, along with a complicated and rigid workflow that forces everything to go through sprint planning and approvals by managers 3 levels up, and if it causes a production outage because something can't be fixed quickly, well that's not really Security's or Compliance's fault, the regulations are the regulations and the auditors are the auditors, and why are you trying to work around The Perfect Process That We Worked So Hard To Build, maybe you have malicious reasons hmmm? And maybe it's time we hired separate operators to run everything in production, like A Real Enterprise Company would, like some banks you've heard of?