I don’t disagree, but I’m a bit confused by the framing. If there is a “hidden iceberg of under-prioritized security issues”, it’s actually the app and container levels.
Standards like SOC 2 Type 2 and so on focus quite heavily on change control, patch management, vulnerability notifications and monitoring, and generally don’t even address password hashing, prepared statements vs. building raw SQL or parsing inputs vs. validating inputs or any of the other common appsec foot guns.
Author here. I’d agree with you in when it comes to more traditional companies that needs to stay compliant. The companies interviewed were normally Series A - D companies, along with a few more traditional organizations. What we see there is that they focus largely on app level, but with the Cloud Native-like thinking, many orgs forget completely about the hosts, as they’ve been abstracted away.