I took a report down within 3 minutes of upload today. We have regularly received comments from our 3rd-party reporters that we are the most responsive.
This assumes that all of this is binary, when in reality it’s a complex system that takes time and effort to modify in a meaningful and responsible way.
Python release files have been signed with sigstore for the last couple versions. You can peruse the release tooling that uses it at https://github.com/python/release-tools
You are wrong.