There are multiple reasons for the challenges. First, typically security requirements are never detailed in contracts with third parties. Security is often brought in after the deal is negotiated, when requirements are difficult to put in after the fact.
Other companies have gone to the other extreme, and insisted on draconian, and expensive, measures for offshore outsourcers because of perceptions of elevating risks, often slowing down the process, and never implementing on-going assessments to ensure security controls agreed to, are actually instituted.
