Are OSS developers responsible for ensuring their code is secure?

Well, if I invoke ethics here, I think it’s my responsibility to write secure code as much as I can.

There are even services that allow the detection of malpractices and provide free tiers for OSS projects, such as Sonarqube.

Obviously this is easier said than done when the OSS project is small and not used by many developers.

They're not under any contract or obligation to make any promises about their software, so I'd say NO.