I don't think this is wrong, but I don't think it will be a problem in practice. One alternative to cooldowns is commercial repackagers, like Chainguard. As long as there are commercial clients who want a validated source of packages, there'll be a market for providing a security wrapper around private package repositories. It's in their interests to a) be quick to get new package versions through, and b) share any fixes they make or any problems they find with the upstream, because it's always going to be cheaper to do that than maintain a long tail of proprietary security patches (not to mention the risk of the clients complaining about either licence problems or drift from the original projects).

That means there's an incentivised slot in the ecosystem for a group of package consumers who are motivated to find security problems quickly. It's not all on the wider development community.