Not much different no, and people have equally bad practices around programming package managers as well.

The entire dev ecosystem has terrible security hygiene, largely because of the pressure to move fast and real security controls by their nature limit flexibility and can slow most processes down.