Having spent too much time in OS security, I wish people building today's products could realize and internalize just how their project is a house of cards built on top of a house of cards, security-speaking. We've normalized a seriously insane amount if sketchy shit that the critique of a modern product core to many linux OS distributions was seen as just old people ranting ... and the shady shit continued.
One day we're going to run into a series of deep-seated security exploits that will blow our mind and cause a chernobyl of damage, and we may not even link it to a particular weak link among SO MANY weak links; but that's what we're looking at. And the fact that we're ignoring common-sense, best-practice rules to develop core apps is leaving a hole in the proverbial fence that we're ignoring as well.
Saw in the news recently that it was possible to radio an exploit to semi trucks in a way that could spread every time two trucks pass each other (default passwords, natch.) - and it's just utterly unsurprising.
Having worked in product security, the biggest challenge we faced was upstream vulnerabilities in both closed and open source software. The biggest problem with FOSS is that its allure is the F part. No company wants to dedicate resources to patching vulnerabilities in software they don’t own, and no OSS developer wants to work for F500 companies for free.