This is not all that theoretical any more, and exactly what the security tracker started with the Nixpkgs supply chain security project is supposed to enable.
It already implements a basic workflow of tying CVEs to packages and maps maintainer status to write permissions. Progress is much slower than anyone likes it though, but I think we’ll get there eventually.