The problem is making it a default (or even popular). If everyone tries to move themselves later in the chain, you just moved detection later in the chain as well

Yes. But also infection with a malicious package. I don't want anybody to be hacked and also don't want everybody to be hacked at the same time. If I am managing multiple software components with different levels of reliability requirements I certainly would stagger updates and updates to dependencies using "dependency cooldowns". I don't fault anybody for using them. As it stands I am very conservative with dependencies/updates in general and not using "dependency cooldowns" yet.