Re: But.. you have the sourcecode right ?
you're going to use outdated libraries after a while
True, but if they are updated with each product release they still meet the needs of the product. Trying to always have the latest of everything is a security nightmare, and not what our customers wanted. Stability was far more important to them than unnecessary bells & whistles.
how do you handle any security vulnerability found in the approved code?
Always a problem, and why they insisted that the product had to have an active community. Preferred option was to incorporate a fixed version in a patch or later release. For critical issues it might mean an internally-developed fix until the next community release could incorporate it.
How long does it takes to deliver a patched version of your application?
Regular releases were likely quarterly, an emergency fix could be out in a week, less for cloud-based deployments.
Most industries expect the supply chain performs most of the certification of their products...
They shouldn't just expect it, it should be written into the SLA, but I know few OSS 'products' that will acecpt that, so "trust, but verify" is the best approach.