Security as a Product Requirement, or not

On paper, security is supposed to be a consideration in determining what products are purchased at my company. That message hasn’t filtered out to all parts of the IT department unfortunately. Its not that I want to have to be at every vendor meeting, it would just be nice if the security considerations came before the purchase order is created rather than as the product is deployed to the test bed.
The latest product that leaves me scratching my head is Hummingbird DM.
Hummingbird DM is a document management solution that we have purchased as part of a decision to move away from home grown Lotus Notes databases.
To use Hummingbird DM you have to install a client that digs in deep and takes over much of the computer. What I’ve noticed is this client opens a website on port 81. I’m not sure of the purpose, but it seems very unnecessary. Permissions also seem to be an issue. I’m sure there are more folders than the ones I have access to. In the folders I can see, I can see sensitive data. What I’m told is, it is up to the user to set permissions when they upload a document. This goes against the best practice of not leaving security in the hands of the end user.