It doesn't sound like your firm does any diligence that would actually prevent you from buying a vendor that has security flaws.