I have built and shipped production web applications for many large orgs with millions of users. Used 1-2 libs tops that i reviewed myself.

Also now as someone that runs a security consulting firm, we absolutely have clients that review 100% of dependencies even when it is expensive.

Both are valid options.

Normalized negligence is still negligence.