You're right that you can game the system by choosing a very limited scope (!= statement of applicability), and if you're looking for suppliers/partners that meet the standard, you must check the scope statement (which has to be publicly available). One of my customers (quite legitimately) has a scope limited to two isolated servers and their Internet connection.
The drawback is that you can't just assume compliance in the rest of your organisation that is outside your scope. So you have to have formal agreements with the rest of the business that they will meet the requirements of the standard in so far as they provide services to the part that is in scope (eg HR in dealing with vetting joiners, managing leavers etc) - this is nearly as much work as extending the scope (at least for medium-sized organisations that don't have separate HR, IT, Accounts for each division).
As for ridiculously (weak) security - well, if you've conducted a proper assessment and have business sign-off for the risks involved, it's very difficult for an external assessor to say (in effect): I understand your business and systems better than you do and I don't think these are appropriate.
Of course, all security decisions are trade offs (inter alia between direct and indirect costs and the level of security needed). I suppose there may be an organisation that has no need for confidentiality, integrity or availability of the information they hold, but I haven't come across one.