>coming up with requirements that required something closer to real security
Being in security for years now, I'm not sure that's possible. At the end of the day real security is a massive onion with lots of layers. Most of the time I'm dealing with crappy security consultants I would not say their recommendations are made up whole cloth. I would say misapplication of requirements from different security contexts is one of the most common problems, and after that examining shallow issues for checkboxes rather than fundamental issues of applications.
Being in security for years now, I'm not sure that's possible. At the end of the day real security is a massive onion with lots of layers. Most of the time I'm dealing with crappy security consultants I would not say their recommendations are made up whole cloth. I would say misapplication of requirements from different security contexts is one of the most common problems, and after that examining shallow issues for checkboxes rather than fundamental issues of applications.