This may be true long term but not short term. It also assumes that white hats will be as motivated as black hats – not true.

For projects with NO WARRANTY, the risk is minimal, so yes there are upsides.

For a commercial project like cal.com, where a breach means massive liability, they don’t have the resources to risk breaches in the short term for potentially better software in the long term.