Comment by corty

Maybe for employees, but usually it is a contractor of a contractor in some outsourced department replacing your employees. I'd argue that in such common situations, you are worse off than with randos on the internet sending patches, because no-one will ever review what those contractors commit.

Or you have a closed-source component you bought from someone who pinky-swears to be following secure coding practices and that their code is of course bug-free...