Many orgs focus too long on assessing the risk before deciding to onboard a vendor.
Multiple control frameworks (COBIT, ISF, ISO, NIST, HITRUST) include hundreds of questions that are often redundant.
Furthermore, these assessments couple the vendor governance witht the actual solution. Hence, orgs spending weeks on evaluating each vendor.
The solution here is a laser-focused framework that includes a base for the vendor, along with specific questions for the solution. I would also advocate for a vulnerability scan of the solution by the specific org doing the assessment.