alt Hacker NewsA central package cooldown is not really any different to individual cooldowns.
The main reason for the cooldown is so security companies can find the issues, not that unwitting victims will find them.
One problem of the central cooldown is that it restricts the choice to be able to consume a package immediately, and some people might think that a problem.
I can't help but wonder why security reviews aren't standard practice. Surely enterprises would be willing to pay for that? You get the default releases as they are today, then a second line that get a "security reviewed" certification released at most a few weeks later.
Of course the problem there is that security audits are fallible. Some issues are so subtle that they are only revealed years after they're introduced, despite them being open source and subject to potentially all the tools and eyes.