There's a massive difference between "big open source" and "small open source". LF has been doing a great job at representing their member companies, each of which has a significant investment in big open source projects, most of which are well funded and staffed. Presumably there's some transitive support given to their dependencies too.

But then there is the very long tail of small open source projects, maintained by a single developer in their spare time, which collectively support the entire software ecosystem. And in every one of these announcements, there's rarely anything being done for this group.

Changing this wouldn't be difficult. AI based vulnerability scanning of projects could be opt-in, where reports are only sent to the security contact listed in the project. This would avoid the risk of malicious actors scanning open source projects with the tool, and avoid sending reports to those projects that don't want them, while supporting the OSS software that doesn't make the "critical" threshold in LFs current criteria.

Unfortunately that would also mean spending LF member funds on projects that may not directly benefit those LF members, so I'm not holding my breath.