I don't think it really is that provocative -- clearly if you have no relationship with an open source project then they don't owe you anything, and you can't rely on them. So if your project is mission critical, then you either need to start up that relationship or apply internal engineering effort to vetting their code.

Of course I'm sure the second person to touch a computer did something irresponsible with it, so what can you do, right?