Chainguard's latest State of Trusted Open Source report highlights significant vulnerabilities in container images and the often-overlooked long tail of open-source dependencies. Analyzing over 1,800 container image projects and more than 10,100 vulnerabilities between September and November 2025, the report reveals that popular foundational images like Python, Node, nginx, Go, and Redis dominate production usage. Python is found in 72% of environments, Node in 57%, and nginx in 40%. However, the top 20 images represent only 1.37% of Chainguard's total catalog, while 1,436 long-tail images account for more than 61% of what average customers use. This long tail often contains critical components necessary for live services. The report emphasizes that the majority of vulnerabilities are not found in these popular images. Only 214 of the remediated CVEs, about 2%, were from the top 20 images, while a staggering 10,785 (98%) came from less popular images. Chainguard managed to reduce average remediation times significantly, addressing critical vulnerabilities in under 20 hours, with 63.5% resolved within 24 hours. This rapid response contrasts with the longer remediation times for less severe issues. The findings stress that while developers focus on popular images, the real security risks lie in the long tail where patching is more challenging. Compliance is also a key concern, with 44% of customers using at least one FIPS-compliant image to meet various regulatory requirements. The most common FIPS images reflect those used in non-FIPS environments, indicating a trend toward using secure, verified components under regulatory pressure. Other studies, like one from NetRise, back up Chainguard's insights, revealing that commonly used Docker containers often harbor a high number of vulnerabilities, many of which are outdated. Similar findings from academic research highlight the need for regular updates to reduce attack surfaces. Security strategies are evolving to address these risks. Organizations increasingly implement image scanning in their CI/CD processes, tying it to policy-as-code rules to enforce compliance. The European Union Agency for Cybersecurity emphasizes the importance of signed artifacts and matching SBOM contents against vulnerability intelligence, reinforcing the need to manage vulnerabilities across all components, not just the most popular ones. This comprehensive approach is essential in today's software development landscape, where hidden risks often reside in less visible but critical parts of the code.