CIOs largely believe their software supply chain is vulnerable