Open-source risk is often simplistically reduced to security headlines about the latest vulnerability or bug count. Security matters, of course, but it is only one dimension of a broader risk surface ...