In general and for software in particular too :). For general see my response to ellg.

Even though we were aware of the insecurity of the supply chain, 1) In practice we tend to ignore it except for mission critical cases. We still do. 2) Autonomous vulnerability/exploitation at scale was difficult and reserved for high value targets.

What you said will be accelerated by 2) now.