This whole shift is very simply about ownership and accountability...plain and simple.
And, yet, everything you say is the case now still puts ownership and accountability on the service provider, in the end, because if they don't present necessary practice then how would any client, who should be presumed to be ignorant of the nuts and bolts, know?
We present, they decide. And if we document that we presented, and they decided against, I don't see how we're on the hook. Yes, of course there will be frivolous lawsuits (as there always are) trying to lay blame where it doesn't belong. But that's true now, too.
I don't know of any instance of someone successfully suing a doctor for malpractice, and winning, if they refused to follow medical advice. You have to have received advice, followed it, and the advice was bad to begin with (or at least could be interpreted as bad). That's pretty much true in any area of professional practice. You're not liable for any individual refusing to implement something you've said should be implemented. And if you can show that you did state it should be implemented and the client refused, well, what are you to have done about that?
I don't think that our clients, who hire us for our professional expertise, should be expected to know what's what. They hire us for that. We should own that. But, at the same time, if professional expertise is offered and documented as having been, we've met our obligation if the answer from the client is, "No."
The real danger comes if the answer is, "Yes," because you had better be darned sure that what you're suggesting, particularly in regard to security measures, will actually provide the level of security needed. [Again, very analogous to medical malpractice.]