Honestly, the way I wish we could fix this is to go back to people paying for software they rely on.
It would be (in my opinion) a fascinating court case to sue a company which got hacked which used lots of OSS, which all had a warranty that says "may not be fit for purpose".
If you built a house out of wood labelled "no warranty, may not be fit for purpose", and it fell down, I imagine you would be held responsible.
Honestly, the way I wish we could fix this is to go back to people paying for software they rely on.
How would that be enforced though? Most companies aren't going to be ok making outside connections to the wider internet to check that their JSON de-serializing package can be used.
Never mind enforcement, getting people to pay for things in the first place is actually really hard. Just look at Docker. They only charge for companies with more than $10 million of revenue or greater than 250 employees, yet every time they come up, they're accused of rug-pulling, and few people actually want to pay them for saving them time. Or maybe it's just a vocal minority.
At the other end of the enforcement spectrums is an enterprise-y place like Oracle and their army of lawyers. They may not be popular, but developer goodwill doesn't pay the bills, paying customers do. Sun never learned that lesson.
At the end of the day, if it's useful enough, IT can make a hole in the firewall. Just look at Splunk.
It would be (in my opinion) a fascinating court case to sue a company which got hacked which used lots of OSS, which all had a warranty that says "may not be fit for purpose".
If you built a house out of wood labelled "no warranty, may not be fit for purpose", and it fell down, I imagine you would be held responsible.