Depends on how much the company values (i.e. is paying for) that supply chain security. And if enough companies cared they could even save money by pooling efforts.
"Depends". The benefits of leaning on open source pays off the majority of the time. Are you exposed to more risk? Yes. Does that mean you shouldnt take that risk? Not really. Otherwise you'd struggle to move quickly and be competitive.
Of course certain things change this balance. Hopefully nuclear power plants dont have NPM in their toolchain. And I believe financial orgs already have quite heavy auditing of dependencies.
Open source and large dependency trees are orthogonal. You can depend on closed modules in compiled languages, many people do. You can write open source software and only depend on the standard library, many people do.
It's literally possible. You just have to have that as a goal from the start of the project. I just looked at our call center product. Across frontend and backend we have 70 npm dependencies required for build/runtime. Most are small.
It's not that hard to do some superficial review once and do a diff of node_modules when updating npm-shrinkwrap.json for whatever reason.
It's utterly irresponsible to not do so when pulling code from untrusted sources like npm.
Don't pull in dependencies which have many dependencies themselves. There are many projects that pride itself on minimalism and lack of transitive dependencies. Choose those. Etc.