The intersection of entities whose security is based around "responding to every CVE quickly" and the entities that care about supporting OSS projects has measure zero.

well... our core users are ISVs (who distribute commercial software into enterprise controlled, self-hosted environments... think big banks, governments, tech companies). They care about supporting OSS (almost 1/2 of them are open core themselves) and their customers mandate that they care about closing out CVEs quickly in the software they're consuming from them.