When I evaluate a "solution", I am thinking circles around the vendor because information security is a complicated, multi-layered beast. If a vendor came in, who was very well versed in the legislation, and in the security arena, and understood what their solution actually did as a part of the total solution, I would listen. So far, I've just not been that impressed and maybe that is why compliance vendors are wondering "how little market demand there is for HIPAA and PCI compliance solutions".
Compliance is a subset of security. And Michael's New Rule of Security is this: "It's A Strategy, Not Just A Policy." Or a piece of software.