Frameworks do work!
If your vendor risk program solely relies on public information available about your vendor through various tools, contract language and long questionnaires it may be time to take another look at how you are managing those risks. Historically, maybe this would suffice, however the better you are in your cyber security and privacy programs the more likely an attacker will go to the next weaker link. We all remember how Target had it's breach, it was an attack leveled against their a HVAC vendor.
The attached article talks about a new council, the Provider Third Party Risk Management Council, which is made up of healthcare CISO's wanting to work together to require its vendors be HITRUST Common Security Framework Certified. I think it is important that any sized organization use a framework whether it be HITRUST, NIST, FISMA, ISO/IEC 27001, etc. to, if nothing else, get a comprehensive view of what a cyber security and privacy programs should cover. It is also important to understand as the last line in the article suggests "The risks involved with a one- to three-person transcriptionist service that uses one method of obtaining and then sending results back to their healthcare clients is going to be different from the vendor used to constantly monitor and process the data within the same provider's patient implanted medical devices."
In other words, what is reasonable for one organization may not be necessary for the other and it is important that companies, especially small and mid-sized, understand their risk and address those risk through the use of an overall framework specific to their business processes.