Thanks all for the replies, here are some thoughts from me:
> I'd be particularly interested in a description of the minimum steps
required to transfer CRA responsibilities to a FLOSS steward, say
hypothetically the PSF or a cooperative of Python consultants.
I'm not sure the PSF or any other foundation like it is in a position to absorb all projects under, in our example, PyPI. However, we still have our eyes on lowering the bar, for example I have plans this upcoming year to make complying with the "vulnerability reporting" and "market surveillance compliance" easier for maintainers. Things like an official location for a security policy, report a vulnerability, and a process for contacting all relevant market surveillance groups (CISA, ENISA, etc) in the case of actively exploited vulnerabilities. I think these sorts of developments are much more within our resourcing. That doesn't provide the resourcing and time it takes to operate those facilities (so is still a burden on solo-and-low-maintainer projects), but at least there's more clarity about what is actually needed from folks and for external groups to not "spook" maintainers with official and legalese-sounding emails that you are now legally obligated not to ignore.
Seth Larson