We've told several vendors that there is not a chance that they will get to use sa to do anything, and that they need to change their product to meet our security requirements. That works most of the time.

It seems to me that an app that requires you to have a password in plain text was written by lazy programmers. The solution is to have the password entered into a configuration screen that creates the config file, or even just inserts the encrypted password in the file using a key in generated by the program itself.