"That's where the industry is at right now, and will continue to be until some way of understanding "good" security vs. "bad" security can be automatically and easily computed."
But the human factor always gets involved which is why computers can't do it and why you need human actuaries; it takes one to know one, basically.