One way to get some action (in US companies) is to tell your CIO that the software does comply with the required Sarbanes-Oxley (or other regulatory) guidelines.

That will get the software removed from the system asap.

Tell the vendor the reason why it was removed, and that you have written a letter detailing its security inadequacies to the appropriate regulatory agency for their review.

It will only take one stink-bomb in the press - plus the resultant contract cancellations and huge sales drop - for many software vendors to get the message.

Of course, you better be right and be able to prove you are right, 'cause the software company might come after you.