It's worth remembering that mod development/ecosystem has a very different engineering approach compared to software engineering in companies, or even FOSS at large. If you asked around in a modding community about software development, you'd get very different responses compared to the in-house company Slack or whatever.

Of course, it's a largely hobbyist venture, which also inadvertently makes it more difficult to audit. But the software engineering aspect was not really the point, just the context: the vast majority of people will just blindly install anything (regardless of whether it's open or closed source), clicking through the installation wizard, accepting the prompts for admin privileges, etc, without a care. But even within the minority of us end users who know what "open source" even means, there's a shocking amount of people who assume that an open source project is necessarily safer because, well, the source is publicly available... someone must've already done an audit, therefore it's safe.