Github compromised

If you were right that this is somehow an "OSS thing" then no doubt when I look at threads discussing the "password encryption" of this or that proprietary PHP web application I'd find that they've all carefully added Solar Designer's custom PHP salted and pessimised password hash and used it in a compatible fashion rather than say, using a fast unsalted hash or relying on PHP's ancient built-in DES-crypt.

Whereas in reality what I see is stuff like "We use SHA1, so we are not vulnerable to the problems in the MD5 encryption" or "We have a custom algorithm which we are not at liberty to divulge" (which turns out to be something like MD5(password + "specialsauce"))

Also, and far more seriously, in reality when we look at Chip and PIN we see that banks were reluctant to even invite known white hats from outside to review their design, denied the existence of flaws they had in fact verified as real, and worked hard to keep the courts from understanding what evidence was needed to really prove that the customer's correct PIN was used to authenticate a transaction (hint, not the "PIN used" boolean in the database).

The "attitudes" and "practices" you condemn are so widespread as to be effectively universal. It would be extraordinary if they were not present in Free Software.