I was really saying that if there is a compromised version that gets removed from NPM, then the projects using it do not need to be updated, unless of course they had the compromised version pinned.

Though plenty of orgs centralize dependencies with something like artifactory, and run scans.

Users who don't care about security are screwed no matter what you do. The best you can do is empower those users who do care about security.