I did the analysis and looked at the costs of a security questionnaire. They run anywhere from $250-$4500 each. The main problem is that there has become a race to longer and longer questionnaires. "Oh, your questionnaire has 1000 questions, I am going to make mine 1100!." I like the author's intent here. Maybe 10 questions is a little short, but let's end the gaming of this process and keep it straight forward. As one commenter noted, some of this information is confidential and should be obscured, not sent around via email attachments to people who may or may not enter into a contract at some point.
IMO, ask for the company's SOC-2 once you've demonstrated that you are a legitimate prospective customer with a budget and not a competitor or social engineer.
That should address most concerns, or at least make the questions more salient, and it has the added benefit of being vetted by a third party.
If they don't have one, then proceed with the dumb questions, but as you quite correctly point out, no one should be surprised if some questions are rebuffed.
