The insurance companies
Consider it from the point of view of the client. If I think I may have a problem, then I have two options - take on the risk myself and do an internal audit, or spend money on a tool to automate the audit. Neither is free.
Am I safe? Not necessarily. The tool could be buggy or my auditors could miss the problem. Given that this is something I've decided to throw money at, I could just write a check to the insurance company. Now I *know* I'm safe because I have a contract with someone who will guarantee that this won't come back to bite me.
It took no time or effort apart from writing a check.
Taking insurance company out of it, I don't know much about blackduck, but I'd bet against my former co-workers if they were faced with any remotely capable company.
"Whenever you find you are on the side of the majority, it is time to pause and reflect" --Mark Twain
"The significant problems we face cannot be solved at the same level of thinking we were at when we created them." --Albert Einstein
"This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses." --George W. Bush