It’s only a losing strategy if you assume everyone universally adopts the slow strategy, and no research teams spot it in the interim. For things with large splash radius, that’s unrealistic, so defenders have an information advantage.

Makes actual security patches tougher to roll out though - you need to be vigilant to bypass the slowdown when you’re actually fixing a critical flaw. But nobody said this would be easy!

but wouldn't it work in this case? sure if a package was compromised for months/years it wouldn't save you

but tell dependabot to delay a week, you'd sleep easy from this nonesense