Yup, absolutely. I get why this is the case, but when things like this log4j vuln happen, and people at work start complaining the fix isn't released quickly enough, or in a particular way, all I can think is "you get what you pay for, and you were thrilled to pay zero, so here we are".