TCS had a perfect security score. Then M&S and JLR were breached

Curious whether people here see value in this kind of research: using alternative public data to assess vendor risk before a breach, rather than after. We're aware that "we found signals before a known breach" is a weaker claim than "these signals predicted a breach we didn't know about yet." Is retrospective analysis like this useful to practitioners, or does it only matter if it can be made prospective?