If certification is the actual cost, you don't need copyright, at all. SQLite is in the public domain. Your moat is the certification itself, not the code.
I can't use SQLite for aviation even though it was certified.
I can't even claim FIPS compliance for my software without going through an expensive process, even though I only use FIPS approved primitives.
Building on certified/compliant libraries helps, but their vendors can certainly contractually make me pay for it.
All OSS libraries have a warranty disclaimer; using them according to even those licenses automatically excludes "fitness for a particular purpose."
Why would public domain software be any different?
The moat is the certification process, not the code itself. "I copied this from somewhere after it was already certified" might fast track something, but it's not gonna fly with "certification was good, done."