The Risk Hiding in Plain Sight: Critical Vendors and Geopolitical Dependency