I'm not so sure...
1) While it surely took months to set up Solar Winds, not every attack of this sort is going to be this deep.
2) Not every attack is going to hang out for years until it is discovered.
But yeah, if you think that an sBOM is going to do you any good, never look at your node dependencies.
So I agree that these threats are better viewed from the standpoint of defending against sophisticated actors, I'm just not as smiley about our ability to actually do so.
I do wish they had talked about running your own semi-mirrors. Just because rubygems.org goes down doesn't mean you have to. Just because someone pulls their code in a snit doesn't mean you have to manage some kind of workaround. Just because someone screws up a version indicator doesn't mean you have to wait for half of the community to produce a fix. And should a library actually be compromised on the main server, it's simple to blackhole it on your own server & be done.
Yes, there is a significant cost involved. Security is not cheap.
But again, sBOMs seem to poorly address issues that should be handled at a slightly higher level.