@jzb What I am trying to say is that there are two sides here. Solving and cleaning up after it happened is #1. That is what I am talking about. #2, what you mention, is how to harden the FOSS ecosystem proactively to reduce the risk of stuff "hiding in plain sight" in FOSS. That's a far wider field with many more unknowns.
We just shouldn't mix the two things because that leads to open ending arguments and not to solutions, IMHO.