Wish I could say for certain, but we'd need the final texts of the CRA and PLD, and EU lawyers, to say for sure. This is the sort of situation that the general aim of the EU policymakers seems to be to avoid what they'd see as loopholes, where a business is avoiding responsibility simply by making a product open source, and avoiding destroying open source. It's plausible, perhaps likely, that open source ghostscript would be exempt, but the one there's a transaction for (clearly being placed on the market -- that, rather than "commercial product" is the key concept) would surely not be. The same vulnerability might impact both, but the developer may only be responsible for the latter. It's possible under the CRA artifex could be considered (very late addition) the steward of the open source version, which was intended largely to cover (give some responsibility to) foundations, but without any real penalties -- but, we'll see.
I'm not surprised that's what you think. I'm doubtful anywhere close to sufficient, as much as I'd like that to be true. The focus of the CRA is of course to make the manufacturer be responsible, including for providing security updates for as long as the product is expected to be used (5 years or more typically). There probably is a weak recital suggesting manufacturers might make source code available to other undertakings so that they might provide security updates after the original manufactuerer's support period, but no enforcement of this, and explicitly not requiring open source. Seems like a potential area for future regulation to improve upon.