Given that software is composed of a hierarchy of dependencies, I would like to see a funding approach that works at the dependency tree level to support an entire tree or sub tree.
There is a huge freeloader problem where business don't contribute any support for their core dependencies.
I wonder if there is a role for an organization that could act as the interface for corporate support at the dependency tree level. It could offload maintainers (or fund them) to handle certain compliance requirements and provide an official sanctioned entity for purposes of corporate policies.
There should be a way to garner support broadly for risk management and specifically for security in the corporate context.
Ideally you'd match it to some population of interest. For my own medical affairs, I don't care what grand-pappy's results are here, I want to know how cousin Tim fairs.
In addition to immunity based on T cells, the HIT depends on how individuals are networked. The original 60-70% estimates were based on 100% of people being vulnerable and also a random distribution of individuals interacting. In reality a small fraction of the population will have many interactions and once they become immune those transmission vectors away and the average R number drops. So based on the latest research plus observations of the worst hit places, 20-25% seems plausible.