In a way,yes suppliers have access to your system, however it is only view access to the specific contract that relates to them. We have used this for two major suppliers, seems to be working well. The biggest hindrance to adoption by suppliers is the fact that its is fairly a manual process to be entering these invoices given that most already have systems that generate invoices the feedback is they do not want to be duplicating efforts using such a manual process.
We ran into a challenge when supplier's punch-in to the site for invoicing. Previously, suppliers could see certain contract attributes such as total contract amount, contract dates etc. In most cases, we were using contract compliance for "legacy" agreements in which we setup the contract workspace with dates/amounts that did not exactly match the legacy agreement. We used it primarily as a BPO that the supplier could invoice against over the network for efficient invoicing. We found it alarming that suppliers could see that information and adjusted our supplier training to teach suppliers to BPO flip via their supplier AN account, not through punch in.
I believe that an enhancement to block this info from suppliers punching in to invoice against the BPO may have been changed in a recent release or in one of the upcoming releases.
We have a few suppliers that are invoicing via punch-in and do not see any security risks as they only can access their contract BPO. Our internal audit department did question why suppliers had user profiles setup in our site, but once we explained it, they didn't question it further.