That can be okay. The problems we're worried about come when it's government mandated.

The EU Cyber Resilience Act puts heavy liability on vendors for software vulnerabilities that get exploited, including in open-source components they incorporate. OSS devs are shielded - liability is on the companies who incorporate OSS into commercial stuff.