Having sa own all databases isn't a good security practice. Have a look at this article. We go with number 5 in the Possibilities section here. Adi is right about your application users being sysadmin - you ought to challenge the vendor on why that is a requirement. Maybe it was only necessary so that the database could be created during installation?
John