Most the stuff on github is something one person wrote, stuck on there, and nobody uses. Then there's a bunch of things that are one person, but some small number of people use or have used it. Most big OSS programs have more than one person behind them. The vulnerable things tend to be dependencies of larger projects - small, but useful enough to get used in larger things.