Much of the specs were created behind closed doors and never done in a way where we could have had outside input. They're completely corporate driven and designed to control users not empower them.
https://lists.w3.org/Archives/Public/public-webauthn/
(nb. I'm not saying the folks were easy to work with or super open to discussion, but it was not some clandestine black kitchen where it was cooked up.)
But I agree that one thing you can't accuse them of is not operating in the open. While I don't agree with some of their decisions, discussing feedback in Github issues as well as on public mailing lists is probably as transparent as it gets.
DARPA was defense money, Xerox PARC was corporate money. The one big success I can quickly name that's "pure" is the web from CERN. (Okay I looked up, SMTP, RFC 821 from 1982 submitted by Jon Postel from ISI USC. But emails with the familiar @ were invented at a for-profit company by Ray Tomlinson more than a decade earlier.)
I'm not saying we should just slump into apathy, I'm just trying to point out that many mostly good things came from big corps. (And the usual problem is that they still hold the keys to the kingdom. For example see how hard it is to send mail to MS hosted email inboxes. And of course they hide behind "oh our users choose this aggressive level of filtering".)