@pfm My guess is that it depends a lot on what communities and languages that are under consideration.
My GutFeeling; the bigger the eco-system, the lesser the manual audit and more reliance on automated tools, like GitHub's dependabot.
Some projects are actively keeping dependencies to a minimum, and other don't seem to care.