No wonder security is poor...
...if this load of comments is indicative of the general understanding of PCI DSS & security in general.
"if you use an off-the-shelf package, it's supposed to be PCI-DSS certified. But if you use something bespoke, you can exempt it from this requirement and just self-certify it." - RUBBISH! The point of PA-DSS is to ensure that off-the-shelf payment application software can be set up and maintained in a PCI DSS compliant manner. Far too many off the shelf packages actually prevent achieving PCI compliance because they do something stupid, like intentionally store CVV2 values. It is a way of getting vendors to produce software that does what it needs to do from a security perspective. If you develop the software yourself, then you can make sure the software does what is needed yourself.
"The form required is too complex for a small business that only uses a PDQ terminal." - then you are using the wrong form (there are five of them, one of them specifically for PDQ terminals).
"The cost of becoming PCI-DSS compliant is extortionate for most businesses. Most small and medium sized enterprises would be put out of business if they were forced to become PCI-DSS compliant" - There are a whole load of things that can be done for free or at minimal cost to facilitate compliance. It does not require a £10k firewall or a 12 month Identity & Access Management programme (though some will try and convince you it does).
The truth of the matter is that most company's perceptions of their own security are far from their actual reality. I have seen e-commerce merchants with no anti-virus at all, corporates running web servers on platforms that went end-of-life years ago and even banks with absolutely no security audit logging on their systems.
Keep telling yourselves PCI is a joke if that's what you want to believe, but without it, security for most companies will only improve after the horse has bolted.