1) Like a car mechanic, these people get paid to sell you solutions and they are incentivized to sell you more.
2) Plenty or honest people have biases because of what they do. If you spend all day thinking about security you might be overly concerned about things that are actually not that risky.
This isn’t to say that there aren’t great people working in the field. But it’s daunting from an outsiders perspective.
Develop sufficient in-house subject matter expertise so that you're not depending on sales consultants to do your cyber program for you.
Develop an empirical understanding of risk management. While we can't predict the future, through well established techniques and adequate resourcing, professionals can achieve consistent results that are far better than random guessing. Risk management principles drive not just corporate stragegy writ large, but entire industries like banking and insurance.
To answer points 1 & 2, you're more than permitted to think for yourself and establish if their recommendations are worth perusing. You could even get multiple opinions and see if there are any recurring themes that might suggest areas to look at first.
With the example of the doctor you run into the nocebo effect - you can spend a lot of time tracking down things that turn out to be of very low value which ends up causing more harm than good. To painfully extend the metaphor you could have an overly aggressive password policy and end up having users reusing passwords or writing them down.
