The cost of poor vendor management is a broad topic. Studies from supply chain academics highlight the costs of poor quality, and procurement organizations have published articles dealing with the costs associated with contract management. There is no single definitive source providing data covering the whole third-party risk management spectrum. However, one of the most compelling sources of information can be found on the various regulatory websites. Enforcement actions and fines are posted publically. Not all enforcement actions are related to third-party risk management. Still, when they do pop up, the fines are substantial.
One method many organizations use, specifically related to data breaches, is the Ponemon Study. ( https://www.ibm.com/downloads/cas/OJDVQGRY) which lists the cost of breached PII at $180.00 per record. Assume you have 50,000 breached customers; that is 9 Million dollars. But even this methodology doesn't cover some of the unknown costs. It is essential to consider costs that aren't as easily quantified, such as damage to your reputation, loss of revenue, operational downtime, re-work, and employee satisfaction, which can occur when third-party vendors are not appropriately managed.
While it is not the answer you were probably looking for, I hope it gives you food for thought. Still, I would love to hear from other members.