I agree that the responsibility for quality and security of open-source lies with the consumers of that code. But legal liability for negligence is another thing altogether. If the ultimate customer or user wants their vendor to accept liability for failures or defects then they need to negotiate that up front in a binding contract. If customers don't want to pay for that then that's their problem, they can take whatever garbage their vendors shovel out and then deal with the consequences.