There’s truth to that, but it’s dangerous to consider it an acceptable amount of signal. There’s a whole universe of ways to surface security debt far before a potential customer does that work on your behalf with a penetration test.
It’s valuable for a company to aggressively mitigate vendor risk in the way you describe, but it is a common warning sign when a vendor’s security story is “another customer audited us and we were OK”. That is a bad story.
A good story is when a vendor can describe how they surface debt systematically with employee, infra, and app security programs. This should exist before a potential customer has to *literally tell them* about their own debt.
So, while I think vendor penetration testing is a valuable practice for a customer — a vendor that solely relies on this form of signal for their security debt should be avoided. That signal comes far, far later than where our expectations should be, and a vendor should be able to represent more about their security than that. Otherwise, security start at sales, ugh.