There is a risk that open-source packages will become unmaintained, or spin-off a non-open-source version that will be more actively maintained. This is often seen as the risk of BSD-style licensed software, but it is not completely absent with GPLed one (see the story of the Nessus Vulnerability scanner). Even if the licence is a copyleft one, then there’s a risk of the originators of the programs stopping to update them, and no one stepping up to maintain them instead.
This problem is not specific to the FOSS world, because proprietary software also has become under-maintained or discontinued, but naturally the problem still exists.