This is not true. Pkg(3) has all the facilities required for curated registries and reproducible environments. With the latter, if a programmer insists on carefully auditing a particular set of packages, he can freeze the “state of the world” by committing Manifest.toml and only updating when necessary or time permits.
Pkg is merely a tool. It allows curated registries, that was implicit in the design from the beginning. Someone has to do the work though — there is no escaping this.
In case you missed it, all of the Julia ecosystem is the result of work provided for free (mostly) or by sponsors (a bit).