For me an issue on the other side is that it can be hard to leadership to pay money for FOSS. This more true the less informed they are. Personally one thing I see that would help if CTO level folks had business reasons for buying down risk by getting SLAs for CVE support, and investing in major work to reduce technical debt when using FOSS. US federal government there are tons of laws and orders that are suppose to encourage using and paying for FOSS but the federal government isn't ran by technical people, so it's hit and miss on adoption.
For me an issue on the other side is that it can be hard to leadership to pay money for FOSS. This more true the less informed they are. Personally one thing I see that would help if CTO level folks had business reasons for buying down risk by getting SLAs for CVE support, and investing in major work to reduce technical debt when using FOSS. US federal government there are tons of laws and orders that are suppose to encourage using and paying for FOSS but the federal government isn't ran by technical people, so it's hit and miss on adoption.