> What would have happened if you had written those vulnerabilities yourself?

Hopefully nothing. After all, if the all the open source eyeballs on those products weren't enough to stop those bugs, then surely it's unreasonable to punish your own developers for not doing better. Yes, there's value in using common resources and certainly benefits from those other eyeballs. But this sort of "hiding in the herd" is also why we still have organizations implementing mandatory password rotations. As a society we really need to do a better job distinguishing from "theoretically preventable" and "negligently broken" and stop punishing people (or threatening to punish them) for "theoretically preventable" issues.