I suppose people did learn that it isn't that bad or costly after all and the risk and the bandaids are still better than the cost of being the first to try and fix software supply chains for good. As things stand, I don't know how that might even be done if it's supposed to not be a better bandaid and someone has to do the legwork and it can't be so costly or impractical to overworked IT teams that everyone is just going to ignore it.