...
You don't fix supply chain issues by focusing exclusively on the means of production.
If we could we could somehow make perfect releases of all all ASF projects tomorrow, it would literally take years before we would see the effects. And plenty of cases where the update would never be applied.
Community is defined by those who show up.
We have plenty of components which are widely used, yet many of those who use them either don't review the code or chose not to contribute back their fixes.
Vulnerabilities aren't always isolated to a single component.
In the case of the recent log4j vulnerability, JNDI (a part of the Java runtime library) is a critical part of the exploit. We tend to treat concepts of "JNDI injection" as if it were a known problem, but just like "SQL injection" and other injection problems, this is demonstrably not the case. If it were possible to improve those common components, that could be a very big win.
...