So what kind of good outcome you propose? If I correctly understand what you are talking about:
- demand open source projects to fix all CVEs within short fixed time AND all projects integrate all upstream and dependency changes almost immedeately (or else, maintain array of older versions that are still used by someone)
- demand proprietary software vendors to avoid using any open source project that does not provide the above, and in a short, fixed time switch from using any such dependency that has ceased providing these guarantees (e.g. maintainer quit) to another one that does.
which still leaves you with the risk of breaking stuff on upgrade, because now your product is basically baby debian sid, because you must pull newest versions all the time, and cannot stay on a stable version (that will not get patches)
which still leaves you with the risk of breaking stuff on upgrade, because now your product is basically baby debian sid, because you must pull newest versions all the time, and cannot stay on a stable version (that will not get patches)