Can Company A read/redirect/mitm the traffic of company B?
Not on a professional VPN service. Secure network configuration is a basic property of those services. So I believe that any reputable VPN service will configure their networks in a way that this attack is not possible.
What happens if both connections terminate in the network of the service provider?
On a minimally well configured network? Nothing interesting happens. The VPN server will be configured with interface isolation, user isolation, guest isolation, or something like this, depending on the vendor. That means that any traffic coming from the guest can only be sent to the gateway, not to other addresses on the same network. And the gateway is configured to not route packets from the internal network to another address on the internal network.
Is there a security risk? What are the attack vectors or security risks?
The main security risk is a misconfiguration somehow. But a reputable VPN provider will mostly sure have Change Management Process in place to take care of that.
So there's no risk? There's always a risk when you don't control all your infrastructure. But the risk is lower than it seems. Take into account that your own employees can mismanage things, allow external access to internal servers, leak credentials, so nothing is 100% secure.