It's pragmatism. People want to get stuff done so they get their tools from 12 different package managers and trust those. Those repositories all have reputation to lose, so there is some incentive to hunt down bad stuff. Is it enough? Probably not for every use case but the right amount of resources to check everything all the time is certainly not "all resources". I'm embarrassed to admit not to use NixOS yet but there's a million things on my todo list and that's one of those.