Supply chain management
It's going to come down to the IT equivalent of supply chain management making sure of the provenance of each element of the container, current patching levels for those elements, and noting incompatibilities that are reported to the developers. Further, every developer is going to have to spin up a current image and test their modifications although we have automatic building and testing tools, so it shouldn't be impossible to restructure the processes for containers. Difficult I'll buy.
Like many an admin I have my fairly hefty collections of images here and keeping them spruced up is a headache. Since the images rarely change, individually, I tweak them during the full system backup window. Watching the backups or building images. Sheesh. Some Sunday!