What does open source has to do with this? Microsoft took 3 patches over half a year to fix readily exploitable printer vulnerability. They just kept patching so that exact exploit code did not work without addressing the actual issue. And researchers kept submitting patched exploits.
It service is not open source either.
A vexed issue with open source code: When it comes to a known exploit causing thousands of people to lose millions of dollars, who exactly do they sue for damages? So who was it exactly who failed to show due diligence? And do they have any liability if it was their responsibility?
Open hosted projects are made from a loose conglomerate of core developers and others who are have some technical or other aluturistic motive for joining in. Whether they give their expertise for free or are on someone's payroll, they are still providing a product AS-IS per the MIT License. There maybe a
governance corporation at the center of the project which owns the branding (name, logo, ringtone, keyring, gonk), but they do not own the IP rights to anything else. With the decentralized nature of the blockchain Web 3.0 paradigm, they don't have to.
In the case of this hack, where exactly did the responsibility for patching that exploit lay? Whose job was it? Who gets sued. Who gets fired? Who gets exonerated?
The thinkers behind Web 3.0 need to start thinking this out - before our dumb government lawyers come up with another box of fudge.