Comment by aaravchen

BOMs are used when they're legally required or if the company has a sufficiently mature cyber security stance, but those both tend to focus mostly on shipped client code versus server-onlt code. Usually you end up with a highly fragmented set out different "BOMs" that are only present as language-specific lock files for the proteins of code that support it.

Lots of games are written in C++ to this day for example so they can eek out every bit of possible performance no matter the trickery required. I would presume this extends to server side of MMOs etc too. C++ has no standard build system even, it's sort of settled on CMake mostly, which has minimal native (working) support for dependencies even, let alone lock files and/or BOMs.