I think the number of maintainers is more relevant than dependency count. Some languages just tend to have more smaller packages written by a few people, and that’s fine; the situation in javascript is troubling because there are so many contributors whose access lets them push bad changes.

I don't think so. Or what's the unit in this case? If you think of it as "the probability that a problem with at least some given severity occurs", then you can model it as the combined independent probability of N dependencies and you end up with the classic 1 - (1 - p) ^ N, so asymptotic behavior for large N.