Compliance (GDPR, SOX, PCI...), or more in general lack of a standardized security questionnaire (where do you store my data, how do you protect it, who are you sending my data to, what do you do in case of incidents...).

Plus there's the business - will the SaaS still exist in 2 years?