External infosec companies and security assessments do have a place in improving security posture - even if there are great internal security-focused employees and good development practices! Different sets of eyes can be useful in identifying and managing risk. So maybe poorly worded on OP’s part, but suppliers can be of use.
I will agree that magic boxes are more of a construct in the mind of some salespeople rather than anything rooted in reality, though 