They should be employing developers to participate in this crucial project, so they have in-house skills in its close to half-million lines of code. We know who they are. Why haven't they invested? I believe that's the result of the ability of commercial software suppliers (of all kinds, proprietary and open source) to disclaim liability. Unlike pretty much any other kind of commercial venture, the deployers of software are able to disclaim all liability for harm caused by their code. Fix that, and the magic of market forces will fix everything else.
This is not to say the authors of the code should be personally liable. Open source projects don't exist to create code for nonparticipants; they exist as the locus of collaboration for developers. It's not reasonable to hold a project liable for its code quality (even if we should ask serious questions about code quality and governance). But the entities that deploy the code do have a responsibility. They need an incentive to pay developers, pay auditors, and promote quality and accountability. We'll only get that when we fix the liability issue.
This is not a new thought. For example, in a 2008 report the European Union Agency for Network and Information Security said:
Networked systems, however, can cause harm to others, and the Commission should start to tackle this. A good starting point would be to require vendors to certify that their products are secure by default.
We recommend that the EU develop and enforce standards for network connected equipment to be secure by default.
Why has this not happened? I suspect the explanation concerns corporate lobbying by large proprietary software companies. It's time for that to change, while we still have Heartbleed as a recent memory. Open source remains the best model for crypto (as well as most other software); we need to make sure software deployers realize that with great (software) freedom comes great responsibility.