Completely agreed. No security is absolute, and Security Metrics doesn't certify security as absolute. Having a reputable third party entity verify that you're following reasonable security procedures is well worth it though, for the sake of the users.
--matt
|