I don't think this trend much matters. Serious vendors concerned about security will simply vendor things like libxml2 and handle security inbounds themselves; they'll become the real upstreams.
Then they all have patches floating around, and get in trouble coordinating with each other. Long term, they would have to set up a foundation to manage these patches, call it the 'a patchie' foundation. Maybe they'll think about a cute name and release a webserver.