Half formed hot take: the Linux kernel CVE situation is the tip of an emerging iceberg as OSS people push back and refuse to do supply chain/security work for free just because third parties want it.
(AFAIK, the ultimate trigger was third party maintainers of old kernels wanting the mainstream kernel to note all changes that turned out to be security fixes so the 3rd parties could backport them and only them. Identifying what is actually a security fix is non-trivial extra work (& fallible).)