Maybe some of them were preventable, but if it was in place attackers would easily adapt to fool the automated systems and we would be back at status quo.
>without reproducible build you can't independently verify anything.
This is myth propagated by reproducible builds people. Byte for byte similarity is not required to detect a Trojan was injected into one.
You are right, I should not have said "you can't independently verify anything", but then you generally need to know what you are looking for.