Re: The deeper issues
It's true that security as an overall discipline is hard, but some things are really easy, the important issue is businesses and developers don't like the answer
Pulling in 50K packages, any of which could have an exploit? Your entire design is broken. Want to fix it? You should be obtaining with Actual Real Money or developer code review of each new change, a set of libraries that are very likely to be secure. These are the only libraries that you use. That also means as a logical consequence you're probably not following the bleeding edge, as developer time to review everything is expensive and slow.
You're *definitely* not automatically just pulling the latest version of things from the public web for builds or systems, either[1], it's all hosted locally. If the design 'needs' to automatically pull the latest version of a component to build, again, it is fundamentally broken.
So the question is how secure things need to be, and where money is involved the natural answer is 'not very'.
I realise this becomes difficult or expensive, especially when open source is involved, but it is abundantly clear most people only care about speed of development and security is a vague afterthought.
[1] Unless it's Saas, which is certified and again, you are paying for it to be maintained and secure