Are there plans for donating funds and engineering talent to open source projects that may not be equipped to handle staying abreast of the latest security practices?
There are active discussions around this, especially in the Securing Critical Projects working group (https://github.com/ossf/wg-securing-critical-projects). These resources will always be scarce relative to the number of open source projects that could benefit, so there's a large focus on developer best practices, improved tooling, and "secure by default" configurations. These are described in the working group README pages (https://github.com/ossf) in more detail.
There are a few ways that OpenSSF and member organizations are already funding direct security work for open source projects, and I'm hoping this expands significantly in the near term.