Resellers aren't really in a very different boat than the vendors who use someone else to host their data.
If you're in a financial institution and there is NPI, then the SSAE 18 guidelines kick in, which means you should try to get a doc of some sort so you can review the data protections of the 4th party.
There are lots of companies out there that will not share the SOC of one of their vendors. There are others, like AWS, that are readily available. In most cases, auditors can't really comment if the request is made and the answer is "no". They may ask why you keep doing business with them, but they can't force the issue too far, from what I've seen.
I can't recommend contacting the 4th party directly. They have no reason to give you anything, you have no contract directly with them - it seems like the old "trying to teach a bear to dance" where all you do is waste time and annoy the bear.
If this technology is of a retail variety, then I think you might be spinning your wheels a little. Ordering a PC through a reseller, where that PC will have NPI isn't appropriate. If it's a data variety, where the vendor is using someone else as SaaS, IaaS, PaaS, etc. then I'd recommend asking for a SOC for that vendor. Sometimes the answer will be yes, sometimes no.
In some cases, I find that the SOC of the vendor is thin in some areas, like physical or environmental security, because they lean on one of their own vendors to take care of those things.
As for the more thorough investigation of their vendor management program - if you can get it, sure. The thing is, if it's mentioned in the 3rd party's SOC report [and it should be], then you have a document from an auditing source that confirms that the program exists. I'd say stop there before you fall too far down the rabbit hole.
------------------------------
Dave Howe
CIO
Franklin First Federal Credit Union
------------------------------