Funny scenario which may or may not represent current it world.
Lets use modules in code, so that one single place can be fortified with all precautions.
Third party developer finds a flaw fixes it everyone else uses the updated version world is instantly more secure.
Lets use modules as it saves time for development less headache for us.
We dont fully trust the third party to keep going in same direction as us so freeze the version.
News about oss devs modifying code against policies is popularized. Third party dependency tool companies take it to next level spread the news you cant trust modules.
New approaches from version freezing to hashbased mapping comes into picture reducing risk as version could be easily over written but not code commit hash.
A bug appears in code, author fixes it, everyone using the module or atleast those who are aware fix it, anyone using those softwares update their code bases, this keeps cascading down to lower levels.
And may be just may be in next 5 years the world is instantaneous better secured. /s
Who is at fault, what can be done to reduce unnecessary loops, is fixating on third party dependencies the right approach, should the focus be somewhere else? Some interesting questions with no clear answers