I'd much rather they spent money hiring people to contribute to securing open source and doing outreach, rather than just some mandatory "software scanning" which generate noisy alerts no one does anything about.

Or neither. Just make a fund to hire talent to work all day hardening OSS projects. Rather than all the new mandatory meetings and oversight.