Would like to see some actual cases where this was an issue. If a plane goes down due to bugs in open source software, could Airbus just say it wasn't their fault? Can't imagine that. Or if you got hacked and customer's data exposed because of the log4j-bug, could you just say it was because of that library, case closed? That would be interesting to find out, but it sounds insane to me if you can just point at something that explicitly has no liability, that you chose to use in commercial software, and not be liable yourself.