With the continued growth of Open Source Software (OSS), maintenance workloads have also continued to expand, this along with additional stressors results in maintainer burnout and churn. Given that the pool of those within a software ecosystem with the expertise and willingness to maintain a project is limited, maintenance efforts should be focussed on minimizing security risks with the greatest potential impact. One would expect a well maintained ecosystem to have strong security across all packages, or at the very least, strong security in packages that are core to the ecosystem. As such, dependency graphs for two ecosystems (Python, and JavaScript/Typescript) were captured to obtain criticality and popularity scores for each package. Security was measured at multiple points across the range of these metrics to establish the relationships between popularity, criticality and security. In doing so, a statistically significant moderate positive correlation between security and popularity for both ecosystems was found, along with mixed results for the correlation between security and criticality. These results can be used to assist in both, feature selection for machine learning based dependency risk measurement, and as a guide for dataset sampling for future security tooling evaluation.