I am scared of the situation where the paperwork is done and the money is spent to do it, but it all stays on paper without any actual security improvements. Using your example: the internal auditor would write something like: "It was verified that the open source libraries that we use are of the latest compatible versions and do not have any crashes recorded in our system" without actually checking anything.
In other words, an array of mini-dieselgates.