Overall it depends on the risk profile of the product SaaS products tend to have a lower risk profile becuase they don’t deal with trades/contracts directly.

It’s all about managing risks. One of the products we use is Salesforce. Penetesting Salesforce would be a waste of time for us because Salesforce has a good application security team and is a trusted vendor. However we did perform a review of apps/plug-ins that run on the Salesforce platform which we use but have much less confidence in.