Consider it from the point of view of the client. If I think I may have a problem, then I have two options - take on the risk myself and do an internal audit, or spend money on a tool to automate the audit. Neither is free.
Am I safe? Not necessarily. The tool could be buggy or my auditors could miss the problem. Given that this is something I've decided to throw money at, I could just write a check to the insurance company. Now I *know* I'm safe because I have a contract with someone who will guarantee that this won't come back to bite me.
It took no time or effort apart from writing a check.
Taking insurance company out of it, I don't know much about blackduck, but I'd bet against my former co-workers if they were faced with any remotely capable company.