The list of 'approved' software vendors doesn't say it's because their billion dollar companies, but if it's from a company on the list that's enough. No further vetting required.
I think where this goes wrong is when Bob in purchasing confuses can
use this approved supplier with must use this supplier and fails to
notice said supplier about to be bankrupted in court over a
multi-billion security scandal, and goes ahead anyway.
Voila! We just bought a couple million IoT bricks and doorstops that
will be in a landfill next week.