I did read that part. That's why I mentioned eyeballs. I wanted to point out that I especially disagree with that argument.

While you're right that most people who use a library individually do not read the code of all its sub-dependencies - They do so in aggregate (different people just reads different parts of it and different sub-dependencies). This is especially true for popular sub-dependencies.

From personal experience, I maintain a moderately-popular open source library which is often used as a dependency or sub-dependency of other projects... If I introduce a bug, I will know about it within about 5 minutes. That's how many eyeballs there are. To suggest that there aren't many eyes on the code is simply not true.