@stefano Is this a PCI-DSS vendor? Because holy shit are they bad at this stuff.

Had one years ago when I had my own hosting company, client came to me because they didn't understand a security fix being backported, but they said the vendor would verify them when it's fixed... but I was like "no there's like 80 other things your WordPress site is doing wrong that should disqualify you..."