I think back to my history in IT in utilizing vendors for everything between keycard access, to phone systems, to infrastructure.  Back then, it was fairly easy to restrict access as for the most part, they needed to be onsite to access their systems.

In today's world, with more online vendors, outsourced coding and the like, vendors almost have more access into your environment than some of your users as their systems are often tied to your critical systems.  

Having come from the unstructured data world, where it was important to ensure that people only have the access they need to do their job, why aren't more companies limiting their vendor access to only the systems they need access to?  Whether via a jumpbox, or segmented workloads, the technology exists today isolate their access to only the systems they should have and need access to.