Comment by bulbar

Realistically, most folks don't get paid to mitigate long term risks by deviation from the common (and more efficient) practice.

Big companies have security roles on multiple levels, enforcing policies and not allowing devs to just install any package. That's not new but started maybe 15 years ago.