Infosec question.
Over the years i've seen various hacked/defaced sites. I can generally clean them up and apply enough "protection" to avoid them getting re-hacked, but i'm no security expert at all.

We work with 3rd party infosec companies who run scans and give us..

1/a few

They give us a report and i've come to find most of them give us essentially an OWASP basic definition list after they've run a scan with something like burpsuite.
I almost feel like they don't actually know shit about securing things, they just run scans and charge...

2/a few

They seem to charge a ton of money for what i feel amounts to them copying/pasting the site url into a preset tool, taking the "highest" threats and putting them into a PDF which they then present 2 days later as if they did a buncha work they can bill for.

3/a few

My question to the #infosec community is then.
How the hell are we "non-security-tech-folk" supposed to know who to trust and which of these companies actually know what they're doing?

4/ a few

Lastly, where can we point our clients when they are seeking such services so they don't get ripped off?
I'm not talking large corporations with tons to spend, i'm talking small businesses with small budgets that need some sort of security assistance.

Thank you.

5/the end.