That is not correct. The problem with SOC reports is that it is up to the company to scope what controls they want to be tested as part of the SOC2 report. Therefore in your example, the company is unlikely to include asset management controls (EoL / EoS) as in scope for their SOC report. Companies can also choose to only include the components of controls that are known to be effective, to avoid having a qualified report.
You are right that you shouldn't just blindly put faith into an organisation because they have a SOC report. To rely on a SOC report, you need to review it in detail, and understand the controls they have tested, and look for what has been omitted.
You are right that you shouldn't just blindly put faith into an organisation because they have a SOC report. To rely on a SOC report, you need to review it in detail, and understand the controls they have tested, and look for what has been omitted.