It is not sufficient but it might be enough to fulfill compliance requirements. Yep, that is only cover your ass security but it is still better than no encryption at all … the glass is half full vs. the glass is half empty although we should of course aim for the full glass.
There's an opinion that it's actually harmful, as it creates a false sense of security when there's none (when a powerful malicious party can possibly force vendor to make the software silently auto-update and disclose your encryption keys — that really means "none").
