I recently came across a blog article, The Security Risks of Medical Devices, that speaks to one topic that I advise my clients on a routine basis: "Security is a shared responsibility with your vendors."
As an IT professional or security officer, your ability to secure your network is dependent upon your relationship with your vendors. If your vendors fail to provide you the information you need or update their systems, this puts your organization at risk. Imagine if Microsoft never issued any security updates.
My favorite excuse from vendors is: "I can't tell you that information for security reasons." My stance is you need to tell me that information for my security reasons. Or another one of my favorites actually comes from my clients: "I can't update my Windows 98 machine because the vendor doesn't support any other operating systems." My solution: find a new vendor.
You may love it or hate it, but PCI has done some good things with managing vendors including forcing organizations to ask questions about their vendors' PCI-DSS status or requiring a PA-DSS certification. The great thing about the PA-DSS is that it comes with an implementation guide from the vendor. The implementation guide tells the IT administrator how to configure the system securely. It also tells the security team how to test to ensure the system is setup securely. I wish all vendors did this?