Ask, show me your:
A vendor that takes security seriously will perform ongoing and constant threat modeling on their products, services, and their whole environment. Asking a vendor for a threat model will allow you to understand their security maturity.
This question is only relevant if you are trying to bring in a new application or service with a software component. It will give you a good overview of whether the vendor is using insecure third-party libraries or code, and whether they have a good patch management strategy for these components.
Asking a vendor to show you the last five security events or incidents will provide you with a good picture of the level of security maturity of this vendor, and whether there is a lingering security issue with their services or apps.