That's a really good point. Where I remain at least somewhat concerned is for example suppose that one day curl pushes a terrible bug to production that results in all sorts of nasal demons flying out of client devices. Is this free code that was picked up off the side of the road thus zero liability? Or is this a trusted product written and maintained by a professional that has stood the test of time thus there might be liability because there's an assumption that official updates will be fit for purpose?

Now if I were running a small business I might choose not worry about the tail risk of my product causing a few million dollars in harm or (more likely) I'd have insurance to cover that. But someone tossing code along the side of the road presumably doesn't have (and doesn't want to think about) insurance and meanwhile the tail risk has become nearly unbounded thanks to the effectively arbitrary number of deployed instances.

I think there's also some benefit to having a big fat NO WARRANTY clause at the top of the license file because it might give you a better chance of a summary dismissal (or even deter the other party from trying in the first place) since as we all know the process itself can be ruinous even if you eventually prevail.

Which is all to say that I share your view. Willingly negligent vendors that cut costs by omitting security while viewing the resultant mishaps as an inescapable reality ought to be held accountable. But I think it would also be a good idea to add an official exemption for software that's made available free of charge. It seems like if you pick something up off the side of the road any mishaps that follow from that should necessarily fall to you.