Nix* ecosystem shall build up universal policies and (easily auditable) workflows in line with their values and aggressively market them.
Then it will be easy to expose (real) threat scenarios of non-reproducible package ecosystems and blame them. (Ken Tompson’s original “Reflections on Trusting Trust” — turing award lecture is indeed a good thing also for managers to digest — it exquisitely instills fears about how fundamentally flawed software security is now a days.)
Once those policies in place, it will be hard for the opponent to credibly dismantle nix’s high security aspirations by citing poor workflows and auditability.
The preceived benefit must outweigh the percieved cost. So the key is to know how to play those perceptions! (— not the truths)