A couple of months ago, when writing about the end of EU-FOSSA 2, I criticized its reactionary nature. Just like I had done a few years ago about the Core Infrastructure "Initiative", EU-FOSSA's private counterpart.
That is why we can feel very grateful once again to the Linux Foundation's Jim Zemlin for setting up OpenSSF, replacing the CII this year. Not only does the Open Source Security Foundation lose the "initiative" in its name, but it really is a lot less reactionary, established as a permanent project:
A lot has changed since Heartbleed. The next challenge would be to see security efforts more integrated into primary software projects, rather than in secondary projects, still somewhat reactionary afterthoughts.
Here's hoping for truly organic security (which doesn't prevent external security assessments)
Update
Wanting to become more universal than the CII, OpenSSF is facing a serious challenge: prioritization. By trying to become neutral, it appears it's so far risking its auditing efforts to be irrelevant, with its current method computing Qt's criticality as way lower than... some Bitcoin software 
And beyond noting that the current metrics are broken, I don't see an easy fix without completely changing the approach.
Here's hoping common sense prevails