Fortunately NIST has specific advice that recommends against that which is admissible in court (in the US). I'm not sure how to work through the bureaucracy to do this, but your company should sue them in court for incompetence to get their money back.
I've seen multiple accounts from IT/security people who discovered something like "this could get the company in legal trouble" with links to details was exactly what got an otherwise intractable issue resolved.
