They link to that page in their documentation.
I can only assume that they misunderstand this:
> 1. Identify critical open source software (OSS) projects.
> 2. Secure those projects.
Not as "those projects are widely in use, we should really make sure that they are looked at", but as "we have identified those projects as insecure and will secure them".
