>> It’s an organization created by a national government. > Why? What about this requires the power of "government?"

Budget mostly. I don't think the power of government is strictly required. There are some private organizations which try to take care of the commons (Hiya, Mozilla!), but it's still by and far had to fund. Why not use public funding for this?

> Contributor agreements are about to get way more parsimonious and annoying.

Why? I don't think the project necessarily needs to be owned by the organization, right? In which case, nothing changes to the contribution model.

> Nation states use software and knowledge of zero days to commit espionage against each other. He can't be serious with this.

That's true, but it's not as if there was no tension there. Significant backdoors could have impacts on the economy of some nations which are therefore incentivized to keep things running smoothly. You can play offense and defense at the same time.

Google has Project Zero, but it's quite limited in scope, mostly focusing on things in Google's supply chain. What other evidence is there corporations will fund the scale and scope needed to secure the whole ecosystem (that everyone depends on at this point, Open Source won)?

Lots of the security-related organizations that currently exist merely find and report exploits, often even asking for compensation from the maintainer of the software for reporting it (even if it's a bullshit report: https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-f...). Putting more work on volunteers isn't a reasonable ask.