Ah this makes total sense. Other day I read how some factories are dumping pollutant chemicals in rivers. But it turned out to be all fine as there was no wrong intentions it just was not economically viable for them to properly dispose waste.
Congratulations, you found the solution to the problem. Hold companies liable for the damages their sloppy security practices create. Bruce Schneier wrote an excellent article on the topic in 2003 [1].
This is more a coordination/incentive/game theory problem than a cost one. If all the companies that use open source libraries contributed resources to pooled audits then individually they'd have to pay far less than each reviewing dependencies on their own.
Maybe that could be incentivized by penalizing data breaches caused by negligence and using non-audited code = negligence. But I suspect this would just result in people running some random static analysis tool and calling it a day rather than doing for proper code reviews.
Penalizing does not work, period. Religion tried with scare tactics for thousands of years. Sharing costs for auditing open source libraries depended on would need a platform to share the load, something like a Patreon for businesses.
They are not “too lazy”. It’s not economically viable for them to do so for various reasons.