"Vendor Management" in most companies is just a paperwork exercise
"What do you mean, I have to assure the vendor is doing their job? That's why we hired them!" is a common push-back from "The Business". "An on-site visit? I'm not paying for that! We outsourced to save money!"
So they request audit paperwork which comes back as an SSAE 16 SOC 1 Type 1, which can only be used for financial reviews and not technical operations and had no testing done. It covers the vendor's "cloud" provider's infrastructure and nothing else, not even the web apps the vendor wrote themselves. The security group writes them up for numerous problems marked in the vendor's own docs as "Requires management attention" where the vendor's response was "Accepted the risk".
The paper-pushers in the customer's Vendor Management program look it all over and say "We can't tell the vendor how to run their business and they accepted the risk. So did our business unit."
And then the vendor loses a butt-load of the company's customer data *cough* Equifax *cough* and "The Business" squawks "What do you mean, we have to notify our customers that the vendor we hired got breached? We're not the ones who lost it!"
That's my Monday. Want to know what the rest of the week looks like? You guessed it, the same.
Safe for work video on the subject: https://www.youtube.com/watch?v=9IG3zqvUqJY
Biting the hand that feeds IT
