Fix symptoms, not problems
As mentioned, the issue is the sheer number transitive dependencies. (And as a rubyist, I'm looking at YOU, DHH.) The idea that getting code out the door NOW is functionally the most important thing is what is driving this.
But, as I keep harping, in the end, the customer is king.
Someone posted a mention of James Dean's seatbelt. For those who do know know (such as myself, an hour ago), James Dean died in an automobile accident. Investigators determined that if he had been belted in, he would have survived. At the time, however, very few cars even had an option for seat belts. The article goes on to trace the history of seat belt usage, crediting this incident as getting the ball rolling. I was about 18 when the laws were being passed. I contemplated stopping wearing in protest of the blatantly unconstitutional process by which those laws came about.
I'm afraid that the solution is going to involve legislation. Insurance looks like it is going to fail. (The costs are too high, companies will just ignore the risks.) Liability for directors/board members seems the most likely. The situation with Kaseya is a pretty good demonstration of why.
Biting the hand that feeds IT
