This is a problem that Maven has created, mostly.
What the summary doesn't mention is that "large repository of open source software" is a Maven repository. Maven allows you to specify dependencies for your Java project.
The problem is that you have to specify a specific version of whatever you use. So let's say you use OpenFoo 1.1 and that at the time you write your code, the latest version of OpenFoo is 1.1.3.
Now assume a horrible vulnerability is discovered in OpenFoo 1.1.3, so they release OpenFoo 1.1.4 to fix it. Well, your Maven POM says you require OpenFoo 1.1.3, so until you go in and manually change that, you will only ever use 1.1.3. There is - by design - no way to say "I want the latest 1.1 version." You can only describe a single, specific version.
So it's no surprise that Sonatype will see a ton of old Maven projects continuing to download outdated Maven artifacts. There's no way to say "I want the latest version of a specific branch" you can only specify a single version. Which means that a project that hasn't changed in years will still pull in the old versions of the libraries, even if it would work with the later versions.