Security technologies are secure but if deployed incorrectly, the intended protection will be in vain.
It is necessary to have a design review and configuration check to minimize this type of issue. Preferably, this should be done by 3rd party for independence as well as from fresh eyes.
Of course, a reasonable scope of coverage has to be defined. That’s why security accreditation is at component level (e.g. encryption module) to set the boundary because how it is deployed has many variables.