I think developers almost always do address security, it's just that security is insanely hard and most aren't dedicating security specialists.
CVEs are almost always patching in hours to days on mainstream software, it's rare to just leave doors open, the difference seems to just be in how much people tolerate things that might possibly have an unknown risk, just because they are big or use dependencies, or because they allow a user to do something that might be a bad idea in some contexts(Like have an unencrypted hard drive).
If you need extreme security, or some other specialist requirement, you're total right, mainstream ecosystems can be unsuitable.
CVEs are almost always patching in hours to days on mainstream software, it's rare to just leave doors open, the difference seems to just be in how much people tolerate things that might possibly have an unknown risk, just because they are big or use dependencies, or because they allow a user to do something that might be a bad idea in some contexts(Like have an unencrypted hard drive).
If you need extreme security, or some other specialist requirement, you're total right, mainstream ecosystems can be unsuitable.