Because software is a massive house of cards and its bottom layers are poorly-funded people and volunteer groups who can't conceive every possible security issue, don't necessarily engage in every best practice to secure their accounts and publishing pipelines, can't single-handedly provide adequate oversight of all their dependencies, and might fall prey to a targeted attack or tempting offer.
And then on top of that are companies building software and prioritizing new features over revisiting old code.
Because software is a massive house of cards and its bottom layers are poorly-funded people and volunteer groups who can't conceive every possible security issue, don't necessarily engage in every best practice to secure their accounts and publishing pipelines, can't single-handedly provide adequate oversight of all their dependencies, and might fall prey to a targeted attack or tempting offer.
And then on top of that are companies building software and prioritizing new features over revisiting old code.
[dead]
[dead]