Here's how to fix "Open-Source Security": pay every maintainer of critical OSS infrastructure the equivalent of a good Silicon Valley staff-level software engineer, keep them happy, and give them support whenever needed, whether it is testing, fuzzing, security audits, or whatever.
You don't just sit there and complain hobbyists not being able to produce unpaid work that is both always secure and reliable.