"developers failing to vet third-party code for vulnerabilities"
LOL. What would you suggest? Code inspection by magically infallible developers who have their own work to do creating new features probably wouldn't recognize vulnerabilities in their own code?
Most companies and projects do not employ security researchers and specialists, not for their own code and certainly not for anyone else's, and they are not about to do so. And even if they could afford it, I wouldn't be too hopeful of the bugs actually being found. In fact, spending the time to find the bugs in the first place probably creates more vulnerability than would otherwise exist.