It's worth noting that centralized package hosting concentrates the risk into "too big to fail" operations. This is great for as long as they genuinely are too big to fail and you can assume that someone will always step up to save the day. But the Java ecosystem went through a case where that didn't happen: JCenter/Bintray was a popular Maven hosting site for many years until one day the operator simply announced they didn't want to run it anymore and shut it down. It was a clean, phased shutdown but ultimately enormous numbers of builds and projects did have to migrate away. Now everything is even more centralized around Maven Central, which really is (hopefully) too big to fail.
The financial system has a lot of experience with dependency on centralized organizations that are too big to fail. It's trading one set of problems for another. In particular the risk is that the organization starts to "fail" but not badly enough to cause a mass collective shift away. Things just degrade and become terrible but there's never a moment that overcomes the enormous activation energy needed to migrate away. With a federated or decentralized system it's easier to bleed off from an institution or service that's started failing at its core mission.
The financial system has a lot of experience with dependency on centralized organizations that are too big to fail. It's trading one set of problems for another. In particular the risk is that the organization starts to "fail" but not badly enough to cause a mass collective shift away. Things just degrade and become terrible but there's never a moment that overcomes the enormous activation energy needed to migrate away. With a federated or decentralized system it's easier to bleed off from an institution or service that's started failing at its core mission.