But you can read the dependency list or even the code and decide whether to use it or not?

Not in the presence of binary dependencies.

Also the amount of CVEs in FOSS projects show that even the process of code review for patches isn't enough.

You mean, in projects written in languages that are unsafe from beginning to end rather than in small blocks?

I agree, just stating that plain code review isn't enough.

Those patches also come in small blocks.