Agree, and we saw this play out with Trivy/TeamPCP recently. One misconfigured workflow, underfunded maintainers, and it spread across five ecosystems in days. £5M split between projects is a start but pretty thin. Hope it sets a precedent though.