Agreed, but what should that mechanism be? My business runs on open-source software. Pretty much everything is behind our reverse proxy, Pound. One of the numerous libraries which Pound relies on is OpenSSL.
To whom do I give money? Debian? The applications I use like Apache and Pound? Do I enumerate all the libraries that all the applications use and give each of those hundreds of projects a few pennies?