That page looks impressive but there is no way to casually verify that what they are talking about actually happens (on a quick check). There is simply so much info there you'd have to spend considerable time trying to track down what is needed to make sure it's actually legit. [1] Of course with 'assume' with AWS it is and it's meaningful but my point is if someone else were doing that people might simply 'check the box' and say 'ok they have this handled'. Might not be the case.
[1] Edit: Story today about Amazon and expired baby formula:
As for [1], the FTC etc. do a bad job of regulation, especially of Amazon. I actively do not trust Amazon to sell me things I ingest.
>there is no way to casually verify that what they are talking about actually happens
I have first hand experience working in more than one organization with security departments which did this sort of verification of vendors. Usually as required by law.
And the opposite was true as well, working in organizations which were beholden to those kinds of compliance requirements and to customers (and investors) verifying them.
It is indeed a long process with a lot of work. That kind of "box checking" tends to happen sometimes but not in an inventing reality way but a cargo cult way. There is enough surface area of these regulations though that you can't just get away with a song and dance, you end up actually having to do the right things.
Rereading your comment, here is one easy verification method for one of the programs: literally a marketplace of compliant services by the group which does the verification.
[1] Edit: Story today about Amazon and expired baby formula:
https://news.ycombinator.com/item?id=21310697