Usually in these kind of situations I fall back to sharing a OneDrive / Teams (SharePoint) folder out to the external vendor. Anyone can say that they can’t receive the encrypted email and there could be legitimately good reasons for that, but if they don’t know how to login to 365 to access a shared folder that’s on them.