> single-maintainer projects (or subsystems, or packages) will be seen as risky
I would actually see a single-maintainer project as less risky. Looking at the XZ backdoor issue in particular, nobody even knows who the person is that introduced it. With a single-maintainer project, you only have to trust one person, who is often a known quantity.