Right now the only codebase I care about them fixing vulnerabilities in are the 3800 repositories that got stolen from GitHub.

"Vulnerabilities in the software that makes the internet" is honestly lower priority than "The platform that the software that makes the internet uses to make releases" If buyers of those internal repos find ways to break into GitHub such that they can cut software releases, or poison github actions from a distance, then we're all in a very ugly mess.

Don't forget that in those 3800 repos is likely also npmjs.org itself.