They don't have to. They can do the paid secure images for the commercial offerings and keep the other ones free. Or they could free the secure images for everyone if they feel like that.

Hmmmm, I'm not sure that's how it would be read. If there's any 'associated commercial activity', it falls under the CSR, even if the images themselves are free and open source.

(That said, the overhead of the CSR is really not much, from what I can tell. It's pretty lightweight as EU standards go)