I would do it like this:
- Whole Project WS (Only you and your company staff has permissions to this WS)
- SubWS for Vendor A subproject (You, your company staff, and Vendor A has permissions)
- SubWS for Vendor B subproject (You, your company staff, and Vendor B has permissions)
Does that work?
(Note: You are right, permissions and groups management need to be improved).