I'm not saying the status quo is good, but it is nontheless the status quo. Just about every machine on the cloud, mobile devices, etc all have non-source binaries somewhere, and besides some niche projects that actually have an assembly half-C compiler bootstrapping another tiny C compiler bootstrapping a real C compiler, this is not feasible for the vast software ecosystem as of today.
Stagex can already support all of those use cases provided they are not written in Haskell or Ada, and in fact Stagex is already used heavily in production. We bootstrap everything deterministically from 180 bytes of human auditable x86 machine code.
Rust, Go, Nodejs, we have you covered with complete full source bootstrapping and multi-party signed reproductions.
There is no good excuse for poor supply chain integrity anymore.
Most mainstream languages have a fairly straightforward bootstrapping process that doesn't rely on a trusted binary. And yes, most distrubutions ignore that, but nonetheless it is possible to use those languages in a high-sec environment if you put the work in.
I'm not sure that I agree that GHC can't be bootstrapped though. There is a process for porting to other architectures; its not an automated process and perhaps no one outside the GHC team can actually do it, but if for some insane reason NSA decided they want to use Haskell I'm not sure that they actually can't, if they put a lot of work in and hire GHC committers with high security clearances.