I feel like the actual problem behind this is a useful definition of what "trusted" and "untrusted" mean that does not resolve to assigning blame for problems that have already happened.
I feel like "literally any URL supplied by anyone capable of visiting your website" and "some random guy from the Internet, with no connection to you or your company whatsoever, who was recently arrested for trying to burn his own house down" are both fairly obvious examples of sources from which you should not download and run random code without checking it first.
But maybe that's the part that this industry is incapable of learning.
But maybe that's the part that this industry is incapable of learning.