What I'm familiar with is that you would write into any business contracts signed with that vendor that all of the [insert scoping modifier here] representations the vendor has made are truthful or else the customer may cancel the contract and seek [consequences of contract violation]. Just make sure the scope includes that security questionnaire.
In my experience people don't outright lie about these things, they sell a piggy bank as fort knox.
E.g. someone running an automated vulnerability scanner that may not even be entirely appropriate for the application being scanned could be considered a pen test or perhaps OWASP mitigation.
TOTP software authenticator on the same machine as the password safe? Totally 2FA.
Security training for employees? Some mind-numbing videos of a consultant reading the OWASP list from 2011 over some powerpoint slides and mentioning some buzzwords, employees self-certify having watched these videos.
If you're hacked and leak your customer's data, and it turns out that you materially lied on your customer's security questionnaire/due diligence, you could be sued by your customer for damages, and your insurance company could refuse to defend you.
If nothing else, I imagine if the vendor were to get hacked, the client would have obvious grounds for a lawsuit. Obviously you'd rather it not get to that point, but, still.
I asked because I've heard more than once that a company either stretched the truth or outright lied on these questionnaires.
So stretching the truth could be:
Do you adhere to NIST?
The truth could be: "well not exactly but that's on our roadmap,we do somethings that are close enough."
That would get a 'YES' check.
Or something like end to end encryption. The answer could be a 'YES' because a company uses front-end TLS and pretends to not completely understand the ask.
In this case it is mostly the business either forcing security to bs or another group (Sales?) filling out the response untruthfully because they are loosing revenue if they're honest.