I recall reading about a university ?compsci? lab where the professor who leads it assigns her students to examine priority dependency chains. They trace everything back and report on who is maintaining various upstream packages, and identify situations where it is like just one person or otherwise really vulnerable. Then they have some sort of institutional resources to offer that person support and add extra hands to the workflow. So it is more proactive than what you are describing in that they are going out and looking for things that could be problems, not just awaiting a disastrous exploit and patching it up after the fact.
But it's just some small group somewhere. On the main I think we agree on the deficit of support for FLOSS components and applications that functionally run the whole world. It's so crazy but invisible. I am not a developer, just a fan of developers and their work. Most people I know IRL are not developers. Everyone thinks the software on their phone works because Apple and Google pay engineers to build everything. They don't know about all the FLOSS components to the phone, the services it uses, the network etc, and how so many bits and pieces are maintained in part or in whole by volunteers on their free time.
Remember when the boat got stuck in the panama canal and everyone was suddenly interested in supply chains? I forsee/fear the event that prompts the whole world to learn about dependency chains.