When we audit MSPs that have grown past 25 clients, the same pattern shows up: the contract says the platform vendor is responsible for security, the vendor's docs say the customer is responsible, and nobody is actually doing the work.
The most common gaps we see are around backup integrity testing, identity lifecycle for offboarded contractors, and tenant-level alerting. None of these are exotic. They just live in the seam between the MSP and the platform.
If you run an MSP and you can't answer the question 'who is monitoring our M365 admin role assignments today?' in one sentence, you have this problem.