The model we have works for used packages. If a package is used by a large company and requires maintenance, the company pays its engineers to do it, and the rest of us receive the updates for free due to the license.

However, the system breaks down for packages that are not used by major companies (or are stable and safe enough to avoid triggering an alarm).

There is no viable way to fund continuous support for every forgotten open-source project.