I agree as well, however for example for FOSS projects, it's exactly as you say, an inconvenience to secure and we comeback to the "I pray that no one exploit X".

FOSS projects are a different beast since contributors are working for free and no contributors might have the time to fix a security bug or review a PR fixing one.

I might add however that most companies use FOSS projects without paying for or contributing to them.

The onus is still on the final user to make sure that the code they use is safe.