Because for most people that's a stupid thing to say.
Supply chain attacks are very rare still (especially ones that aren't just typo squatting), and auditing all dependencies (which is I assume what you meant) is ridiculously time consuming and unreliable.
This small problem can 90% be solved through tool support, automated scanning and library sandboxing (which admittedly is not really supported by any languages yet - at least not without a lot of hoop jumping).
Supply chain attacks are very rare still (especially ones that aren't just typo squatting), and auditing all dependencies (which is I assume what you meant) is ridiculously time consuming and unreliable.
This small problem can 90% be solved through tool support, automated scanning and library sandboxing (which admittedly is not really supported by any languages yet - at least not without a lot of hoop jumping).