It's more work and more restrictive I suppose. Any business is free to set up jfrog Artifactory and only allow the installation of approved dependencies. And anyone can pull Ironbank images I believe.

Yes, but it requires people. Typically, you identify a package you want (or a new version of a package you want) and you send off a request to a separate security team. They analyze and approve, and the package becomes available in your internal package manager. But this means 1) you need that team of people to do that work, and 2) there's a lot of hurry-up-and-wait involved.