Thanks. I think you're probably right about that being relatively rare. I'm curious how often these deals are lost due to the security questionnaire at all.
I'd love to see stats on that. I'd bet that rather than losing the deal entirely, the more common case is that the deal gets delayed (possibly significantly) if something is flagged in a security review. After all, even standards like PCI & SOC2 include provisions for compensating controls :)