Totally agree with you. However, in my head it was, "hey lawyer, what should we do to protect ourselves against breaches by our vendors?" Lawyer thinks, well, we do due diligence for M&A, financings etc. etc. so why not for onboarding vendors. Course, now this process is codified into law.
I have an idea for a better way... :)