Who takes PCI seriously?

A good portion of my day consists of consulting for PCI compliance. After consulting with the customer on one issue after the other, you just really start to realize that the customer is not concerned with security what so ever. What they are concerned with, is getting the banks or whoever is auditing them off their back.
Why are the banks on their back? Well it is most likely not for security either. It is likely because they have identified PCI compliance as another revenue generator requesting customers to become complaint or pay a fine ($$), knowing that they will be out of compliance for at least some period of time . The banks are also teaming up with ASV/QSA's creating a partnership with them to basically spit the revenue stating that if you are not PCI compliant, the bank will provide an ASV/QSA for you. Now I am not stating that this is a bad thing because I would like to see companies become PCI compliant by any means necessary. What I am saying is that neither of these cases really have a concern for the actual security of each company.
One of the more difficult issues that I face with dealing with a company that is trying to obtain PCI compliance without a serious concern for security, is that they will do just about anything to obtain compliance. This includes removing devices from their account that are non PCI complaint in order to print a compliant report for the ones that are, without properly identifying the proper scope of network segmentation. Another common issue that I see, is customers providing inaccurate or false statements to verify that a vulnerability as been resolved due to patching or mitigation. More often than not, I see the customer remove the page in question in order to become PCI compliant just so that they can print a compliant report.
Now we do have checks that try to prevent this, but they are all based on the customers word. Now I am just taking a guess here, but if they are going as far as removing devices, pages, or applications temporarily, then they are most likely going to check a couple of check boxes with out even thinking twice about it.

Now what I am about to say is purely my own opinion, but I am sorry, I just don't see it occurring any other way.
Companies like Visa/Mastercard really need to force PCI compliance. The only way I see this as ever being successful, is that your Shopping Cart/Payment Application must be VISA/Mastercard approved.
What do I mean by that? I mean that if you have a shopping cart or payment application, it must go though a Level 1 PCI audit with Code review and be a visa/mastercard approved application.
Why do i believe this? Well, if you are a mom and pa shop, you should not be allowed to have your own custom shopping cart. You are not programming this application with security in mind and most likely it will not be secure. There are so many Visa Approved shopping carts out there that you should be able to find one that accommodates your needs.
If you are a "big time" enterprise company, then you should be able to have the necessary components to program a secure application and you should be able to have the funding to get the necessary Level 1 PCI audit with code review and have it approved by visa/mastercard.

Now i know that by saying this, a lot of security professionals are going to think that this would totally put someone like me out of business. I do not think so. Just because the payment application is secure, does not eliminate the threat. There are still other web application/network vulnerabilities out there. There is still a need to Pen test websites. There is still a need for PCI compliance.

Either way you look at it, something needs to change with the process that we take/store credit card information. If PCI is not going to be the leader in attempting to address this, then who is?