FOSS projects are a different beast since contributors are working for free and no contributors might have the time to fix a security bug or review a PR fixing one.

I might add however that most companies use FOSS projects without paying for or contributing to them.

The onus is still on the final user to make sure that the code they use is safe.