In no particular order and off the top of my head:
Single vendor:
- easier and faster relationships
- (usually) better integration of different products, provided they're not rebranded kits
- simpler to "pass the buck" if products A and B don't see eye to eye - they're both the same vendor's responsibility.
Multiple vendors:
- less risk of vendor lock-in
- more competition, therefore possibility of lower prices
- more difficult to keep track of licenses and contacts
- risk of work duplication between different products (company A has a product that performs 1, 2, 3; company B has another performing 3, 4, 5. Task 3 may in some cases (e.g. antivirus) even lead to conflicts).
- more possibility of precise tailoring of each product to your needs
As you see, the multiple vendor solution appears to have more "cons" - but these points shouldn't just be counted, they ought to be weighted in every specific situation. Also, most points are hypothetical, they are risks or opportunities, and whether they occur or not depends on the vendor(s) and situation.
I believe that neither option can be recommended a priori.
The man-hours and cost of maintenance is more or less proportional to the number of vendors, all other things being equal, but the savings (in price, resources, maintenance and productivity) are in percent, and therefore proportional to the number of installations and company size.
In a large company, with workforce and procedures to leverage, and a bigger budget, probably the multiple vendor option has chances to be better. A smaller firm, maybe without a true role dedicated to security, would probably find more convenient to negotiate a single offer and forget about it until next year's assessment.
From a security standpoint, I believe that what really counts is the product ecosystem: what products are really from any given vendor (instead of products rebranded and, perhaps, only maintained by the skeleton crews that survived the original company's acquisition), how they are supported and the vendor commitment to those products: best of all would obviously be a company that guarantees strong support to all its products, not only "flagship" or "developed-here" ones.
In my experience, "acquired" products are comparable to the original for the first version, appreciably worse for the next release(s) (when the acquiring company tries to shoehorn the product into its own shape, e.g. changing the UI or moving config files to XML and such), then improve steadily (or get ditched) as the programming teams get their act together.
What really makes the difference (but this is my own limited experience) is how much time (and budget) you can devote to following the products - checking updates, security alerts, browsing the forums, and maybe run some tests yourself on the side. How much the vendor ships a product because it believes in the product, instead of keeping it up so that they can make a "complete offer".
Usually, checking the contact pages and inspecting product and update history is enough to assess the level of commitment that product enjoys.
There is usually an argument about "biodiversity" in security products, that more or less boils down to:
- several products from the same vendor and code base are likely to share the same vulnerabilities.
- different products may have a "security overlap" so that what is not protected against by the one, will be intercepted by the other.
I believe that both points are close to moot (except insofar they descend from the vendor's attitude, if you will):
- several products sharing common code will have that code tested harder, longer and better, and the bugs in there will be fixed once and for all. While different implementations of a same algorithm, sharing a conceptual vulnerability, will likely lead to staggered fixes and several vulnerability windows.
- two products having an "overlap" is the same thing as either conflicting products or duplication of effort. If I want overlap, I purposely buy two products so that I can control the overlap - instead of relying to a chance duplication, whose extent might not even be fully known (because two products from the same vendor will have two different focuses; the overlap then will likely be in the "peripheral vision" area of both. If it's something that comes for free, an extra, I can enjoy it; but rely on it? Think again).
Here, again, these factors have to be assessed vendor-wise and considered in the light of your company's policy, budget and needs.