I was really saying that if there is a compromised version that gets removed from NPM, then the projects using it do not need to be updated, unless of course they had the compromised version pinned.

Though plenty of orgs centralize dependencies with something like artifactory, and run scans.

If someone detects it is asking a lot.

Users who don't care about security are screwed no matter what you do. The best you can do is empower those users who do care about security.

That cannot work. Nor should it work. However can we make things so that users don't need to care in the first place?

Note that the above probably isn't 100% answerable. However it needs to be the goal. A few people need to care and take care of this for everyone. Few needs to be a large enough to not get overwhelmed by the side of the job.