Regular audits should be run on many of these 'small' bits of what are essentially critical parts of the infrastructure, but the question arises of "Who's going to pay for that?" It's tempting to say that it should be companies like RedHat that live almost wholly in the FOSS space. The problem with that, is that everyone depends upon things like SSH even if they don't know it. The cryprographic protocols now built into servers of almost all kinds are absolutely critical to commerce to an astounding degree, but we don't really have anyone that is spending the time to look at the internals of them and make sure things like PRNGs, handshakes,fallbacks and such are properly written.
One of the biggest problems is, that in the case of physical infrastructure, government agencies would go this, and doubtless waste countless billions and introduce bureaucracy and multiple layers of cruft into the process. However, even if the government claimed it wanted to take on such a task, they simply can't be trusted with it. We know that the NSA has purposefully and with malice aforethought kept many if not most failures of software they've discovered secret, so they can exploit them at their leisure, regardless of how wide-open such actions leave all of us.
Feral governments, like ours and most others on the planet have fundamental conflicts of interest in taking on such a task.
Perhaps we need something like UL (Underwriters Labratories) for some critical FOSS. One problem is going to be identifying what is, and is not critical. Is the TCP/IP stack critical infrastructure? I'd say so. What about APIs for financial transactions? Maybe, maybe not, depending upon how the API is constructed.
This entire subject does need some light and discussion.
Exactly. Too many people want(ed) to work on the flashy, "sexy" projects, and not enough on the boring, invisible ones.
You've pretty much brought up all the important points on this topic I was going to bring up, so there's not a lot more I can add.