It would be good if there were some rating agencies that rated the big dependencies and if the government would bale out the packages that became too big to fail. However this means there is need for money. Until companies collectively understand that having a stable base that reaches further than the core language and pay taxes and set up rating agencies all languages will just be a mess of unmaintained dependencies with security issues.