Without the ability in WordPress to easily specify an alternative plugin repository for automated updates, Matt Mullenweg is basically a living supply chain vulnerability in the WordPress ecosystem.
Put another way: if Matt & #Automattic turning off #WPEngine access to WordPress dot org demonstrates anything, it's that #WordPress has a fundamental supply-chain vuln in the form of its total reliance on WordPress dot org for automatic updates. & in Matt's autocratic control of the platform.
I'm gonna revise this a little: I'm still gonna say that Mullenweg himself (& more precisely, his autocratic management style) is a supply chain vulnerability. But I'm also gonna suggest that there's a certain amount of #POSIWID in Automattic setting up WordPress.org & its services to be funded by the grace of Automattic instead of community contributions.
Matt had literally two decades to figure that out & didn't.