I think it's a long bow to draw from log4j to open-source security in general. I'm not saying there's nothing there, but in general the governance questions around this risk are (I think) pretty well thought out. The evidence is in the CVE process, and in things like OpenBSD rigour in patching.
If you go to closed source, its not really any better. Really, the problem is the dependency chain in infrastructure on any kind of externality which isn't understood. My memory is that Cisco IOS ran for decades with an implicit dependency on the (free) CMU SNMP library, or some similar code, which became the open threat. The risks in attack on NTP and the like persisted a long time not because the coders didn't know there was a hole, because the packaged dependencies on NTP code hadn't kept up, people were using older distros and older library bindings, without much awareness.
People who code these fundamentals (OpenSSL, LibreSSL, like code) take these risks extremely seriously. it's the roll-your-own, and the second-order dependencies on these systems which tend to have the gaps. Roll your own are usually just naieve well meaning, without understanding of risk. Second order dependencies may well know in principle the risks, and went to a crypto library to try and avoid them. The thing is, there is no static dependency which is safe. You have to keep current, to avoid open risks in the older code.
In general, indirect dependency chains through git, or through something like an NPM repo which can randomly update (or not) in the background is pretty scary.
If you go to closed source, its not really any better. Really, the problem is the dependency chain in infrastructure on any kind of externality which isn't understood. My memory is that Cisco IOS ran for decades with an implicit dependency on the (free) CMU SNMP library, or some similar code, which became the open threat. The risks in attack on NTP and the like persisted a long time not because the coders didn't know there was a hole, because the packaged dependencies on NTP code hadn't kept up, people were using older distros and older library bindings, without much awareness.
People who code these fundamentals (OpenSSL, LibreSSL, like code) take these risks extremely seriously. it's the roll-your-own, and the second-order dependencies on these systems which tend to have the gaps. Roll your own are usually just naieve well meaning, without understanding of risk. Second order dependencies may well know in principle the risks, and went to a crypto library to try and avoid them. The thing is, there is no static dependency which is safe. You have to keep current, to avoid open risks in the older code.
In general, indirect dependency chains through git, or through something like an NPM repo which can randomly update (or not) in the background is pretty scary.