That still assumes the dependencies are first-party. Some well known CVE examples have been how much both macOS and Windows had internal dependencies on Adobe code. Surely Adobe still has a commercial interest in their code even as/when both macOS and Windows dropped the features that relied on those dependencies?

(For other examples, the game industry is full of well known third-party "middleware" like Bink, SpeedTree, and much more because those middleware like to force their logos into places for advertising as a part of their licensing terms. If Windows had opening or closing credits it might be a surprise how many logos might be forced to show up in it.)