Why is filling out a SIG security questionnaire still a 15-hour job in 2026?

I've spent the last few weeks talking to founders and early sales/security folks at small B2B SaaS companies about one specific misery: security questionnaires. SIG, CAIQ, HECVAT, the bespoke 300-row spreadsheet a prospect's security team emails over right when the deal is heating up.

A few things kept coming up that surprised me:

• The volume snowballs fast. Teams go from 3–5 questionnaires a month to 40+ almost overnight once they start selling up-market, and there's usually nobody whose actual job this is.
• It's a deal-killer, not just an annoyance. A slow or incomplete questionnaire stalls deals for weeks — sometimes loses them.
• The existing tools are built for the wrong buyer. Loopio, Responsive and friends are powerful, but the consistent feedback from small teams is "overkill" — expensive, weeks to set up, and they need a dedicated person maintaining an answer library that a 30-person company just doesn't have. One person described it as "flying a spaceship to go to the grocery store."

So the gap I keep seeing isn't "no tool exists" — it's "nothing light and cheap enough for a team doing 5–10 of these a month with no GRC hire." That's the thing I'm building (FillQuestionnaire), but honestly I'm posting here because I want to pressure-test the problem before I go further.

If you've dealt with these:

1. How are you handling questionnaires today — a tool, a shared doc, raw suffering?
2. What actually eats the time — finding the right answer, the back-and-forth with engineering/legal, or the formatting?
3. If you tried a tool and dropped it, what made you bounce?

Genuinely want the unfiltered version. I'll share back what I learn from the thread.