Yes, I think it's important to note that SBOMs are not the end-all, be-all to problems in supply chain security. They are useful for detecting known, exploitable (in conjunction with VEX) vulnerabilities. This point may accidentally be lost by the compliance department, or regulators. (Hence, why I'm partly wary of well-intentioned regulations.) We have miles to go before we get to rest.