This questionnaire is designed for smaller, probably early-stage companies who need to evaluate a vendor..This is for some SaaS product that’ll have particularly high security impact – i.e. a breach of the vendor would be a major, potentially company-ending event. If you’re just trying to decide which ticket tracking system to use, again: just buy one and move on.
I would personally prefer independent security audits and automated at scale for a constant evaluation, instead of a “one-off” event (paid for by the company itself) just for the compliance. It should be made mandatory by the regulating agencies to have the most comprehensive review. Security by design is not the end goal but should remain a benchmark, as part of the licensing and compliance costs for the organisations. I understand that it is a wishful thinking (at times) but an important policy goal.