Picking the best document out there for your situation is a good diplomatic effort inner-office, but I like Andy Warren's suggestion for dealing with the developers also for diplomatic reasons. If you make them part of the 'in' crowd, at least initially, you can approach it as if they are your partner in making your systems secure.
Another concept to stick to is to express things in terms the person you are talking to can not just understand the words of, but hears their own cares in. Whether it's a play on fear, profit, or whatnot- it has to be what they care about. Scare a business member about profit margin and they'll usually react. If they think there is too much trust between them and the 3rd party, don't bother fighting it just pull them both into the fold. If the 3rd party betrays the trust, saying 'They were specifically granted total access' is much better than saying 'There is no security from anyone on your server'.