> but let pen tests, post-mortem analyses and such speak to their robustness/lessons they've learned.
It depends on which audience you want to reach when you want to advertise how secure your product/service is. Most people outside IT security have no idea what a penetration test is nor can they make sense of jargon-heavy post-mortems.
They can put such things in a company blog for those who are looking for it, it doesn't have to be on the front page. Google, Cloudflare, the previously mentioned Mullvad, etc take this approach (and they often wind up submitted to the relevant audiences). This strengthens their brand trust in terms of security among key groups.
It depends on which audience you want to reach when you want to advertise how secure your product/service is. Most people outside IT security have no idea what a penetration test is nor can they make sense of jargon-heavy post-mortems.