To your first point I agree 100%. As of now the security VARs and consultants are more focused in selling their product than understanding business requirements or mapping the requirements correctly with their product(s). This is why most of the companies end up viewing security just as an overhead grudge purchase. It also happens because once the IT head of an organization is trapped by a VAR or reseller and is convinced about the product, and if the product seller has just one target of selling it by any means, the IT head along with VAR or the reseller will not be able to convince the management in buying the product in that perspective.
The best approach in my view (and which is missing as of now) is to first target of a VAR or reseller should adopt is to look at the business of an organization and their current setup, without keeping a target of selling his product(s). He along with the IT of that organization should analyze the business, business needs, current infrastructure in place, the gaps and how to fill those gaps. This white paper (a sort of) should focus on problem and not VAR’s or reseller’s product in first instance. Once the management is convinced about the requirement, the IT with VAR or reseller should analyze different products available for the purpose and then VAR or reseller should project how their product is better than the others, or how is it going to meet their requirements in the most optimum manner – commercially and technically both. At times VAR or reseller has to clearly say that although their product is not the optimal choice and in their opinion another VARs product could be a better choice by giving objective reasons of comparison of his product and another product. This in any case will increase the value of VAR in management’s eyes although he may lose a bit of business in turn. But on a whole it could be a very good long term deal/associaton/trust.