Possibly.
It depends on how many people are fixing bugs and pentesting.
If it's a lot of people, there won't be much difference. It could be even better if enough free/non-corporate people can help find and fix.
For things that don't get lots of bug hunters and fixers, this could become a real problem. Hopefully not much critical software is in this boat.
Agreed, because for most practical purposes there are only two valid distros in the first place (apt-based and pacman-based)