So, who should take care of it and pay to secure it?

Villa and his team at Tidelift propose a model where the company pays open source maintainers to take care of their code and partners to fix vulnerabilities.