It's a fine balancing act between getting the latest updates and avoiding supply chain attacks.

I completely understand the author here, because I'm actually also leaning more towards avoiding supply chain attacks than jumping on the latest CVEs.

It's just a gut feeling, rooted in 25 years of experience as a sysadmin, but I feel like a supply chain attack can do a lot more damage in general than most unpatched known vulnerabilities.

Just based on my own personal experiences, no real data.

I'll try to put words to it, but a supply chain attack is more focused, higher chance of infilitration. While a CVE very rarely is exploited en masse, and exploitation often comes with many caveats.

That combined with the current state of the world, where supply chain attacks seem to be a very high profile target for state actors.