[ziddoap]

You may not have specifically said it, but it is certainly clear from the way you are speaking about security as an annoying burden.

Just, for example, your comment "Work on security for a week and then submit". What does that even mean? Security is a going concern, not a one-and-done. What do you expect to accomplish in a week?

You mentioned you have no 3rd party pentest, nor SOC compliance. Regardless if they are required by law, not having a rudimentary pentest (which are fairly inexpensive) speaks volumes about your companies posture on security.

I hope you let the people that are trusting you with their extremely private medical and financial data that you are tired of answering security questionnaires, and aren't too concerned about having a 3rd party validate your security.