If you are a company that processes personal information as a sub-processor, you must provide a Data Processing Agreement (DPA) if you are asked for one by your customers. No exceptions. Treating this as ‘premium service’ or as custom contract terms won’t fly, so don’t only make this available to premium customers who cross some revenue threshold. This isn’t part of an information security risk assessment, but rather an important contract that describes both party's obligations under Article 28 of the GDPR.
I’ve helped multiple companies put in lightweight pre-signed DPAs that require very little additional overhead once drafted, and demonstrate a clear understanding of a data processor's obligations.
And if you are a data controller, or a processor with sub-processors and can’t get your vendors to provide a DPA, consider also maintaining a DPA to handle this reverse situation so that your Article 28 obligations are covered.