If you pay for software, your supply chain risk is reduced, if you don't pay for software, your risk is increased.
But maybe we disagree about this other thing. I'm not certain that closed source/paid software is less of a risk either. There have been high profile incidents lately that suggest this is not a sufficient defense.
Personally I just think you're barking up the wrong tree with this pay/contribute=>reduced risk link. I don't think there's anything there. I will grant that you are at slightly less risk from software you know well and contribute to directly, but that's only of any help for very low level stuff that doesn't have many dependencies.
I'd look beyond software as it seems more of a general economic or political matter.
Here's what I found:
Theory that there's an incentive to pay above market price: https://en.wikipedia.org/wiki/Efficiency_wage
Namely that the 'market price' for some software might be 0$ or 0+tips/donations, but paying in excess of that would be an efficiency wage.
https://en.wikipedia.org/wiki/Principal-agent_problem
Academic term for the conflict of interest, which would be applied to the difference of interests between an OS dev and its downstream users.
https://en.wikipedia.org/wiki/Multiple_principal_problem
This would not apply to something as extreme as a supply chain incident, but if an OS library has multiple users, it can't serve all of them equally well. If one consumer throws a big donation, of course they will serve them better, potentially at the expense of others.
Experiment on corruption and wages for public officials: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2039238
Self explanatory.
https://en.wikipedia.org/wiki/Shapiro%E2%80%93Stiglitz_theor...
Source of the efficiency wage concept, more detailed and mathematical explanation. Shirking would be the term for a worker not working or working against their employer.
There is mention to the fact that not all contracts are perfect, and there's always some implicit terms, governed by reputation at least (like, say, the quality of the work will be good, or you won't plant a worm in the code). Also it is mentioned that the costs of monitoring perfect contracts would be too high (for example defining a system of story points and ensuring that the story points contributed are above a certain level, or auditing code and code changes to ensure there are no worms in the code), so an efficiency wage provides an incentive for the worker to self-police, potentially removing the cost of auditing.
Just think about what the contrary would imply, if paying workers didn't increase security, then a free worker writing code would be as secure as a paid worker writing code. In order to introduce security you'd have to introduce an external auditor, which can be free or paid. An auditor cannot introduce vulnerabilities, but they can shirk and get paid without doing the work, but you claim that a system with a free codewriter and a free auditor is more secure than a system with a paid codewriter and a paid auditor? I contend that a system without auditor and a paid codewriter is more secure. And it is even more secure if the worker is paid in excess of perfect market wages, potentially only based on incentives, but also due to the fact that their payment is conditional on job execution, depending on the contract type, if they are negligent on their job, you can recover at least their payment in court, and possibly additional damages.
Finally, I couldn't find sources on the discussions around the ends of 18th century when mandatory salaries for public officials where defined in constitutions of countries of the Americas, but it was my understanding that in most democracies public officials MUST be compensated, it is often justified that otherwise only wealthy classes would have access to such positions so this increases representation, but it's also possible that resistance to bribery and corruption is another reason most governments converge on this decision. The experiment cited supporting this correlation.
I'll add even more from anecdotal experience, sometimes prices can be too cheap, and this will dissuade buyers of the item, because we have an internal model of what cost structures are like, a price too cheap suggests underfunding or cheap materials. I can personally recount many examples where a sale was lost not because the price was too high, but because it was too low. And 0 is a number, which again might be too low. In this case the rule is not about security strictly, but about sale price being a signal of the investment in the quality of the contracted asset. Naturally the cost invested into the product cannot be lower than the price, excluding price dumping (which arguably are not deals you want to take), or lead lossing, so it's a necessary conclusion that low price signal low investment and thus quality, not only of the visible immediate product, but of less visible qualities like future commitment to the product, and less visible present qualities like hidden backdoors.
I grant that if you act as a significant source of funding to a given entity, that entity is less likely to hurt you, if it knows what your interests are. Of course, this is completely impractical for hobbyist users of open source software.
