This regulation ensures that whoever sells the software to the consumer is responsible, and that's the way it should be. The creator of a library doesn't know how his library will be used in the wild, he can't anticipate all possible problems, the product maker can. It is the product maker's responsibility to integrate external components properly, having validated that they are up to standard.
If you're a manufacturer, you can't just pick components at random and then say it's not your fault if your product doesn't work. That's why manufacturers have whole teams of people working to ensure that what they receive from a supplier is up to spec.
He's got many other examples of emails he gets from people. They find his name or whatever in some apps attribution.
It doesn't matter if there's legal grounds or not. Someone and some lawyer will make your life hell. They don't understand software nor do they care. It will be horrifically stressful and potentially very expensive for someone.
Maybe it's better in the EU but the second the lawyers or the insurance companies get involved it will make everything awful.