I'm sure some security researcher is doing this, but we could easily create a visualization of "who has contributed over time" and identify transitioning of maintainers automatically just from git.
This might be worth doing and contributing to a site like bestofjs or libraries.io (I don't really use that one though!)
It is not the idea of GPG thats bad. In fact, the idea is great! The implementation of GPG however is quite another thing. Ease of use and user experience are really not that great with GPG. It is difficult to use even for developers. Developers are users too amd so on.
This might be worth doing and contributing to a site like bestofjs or libraries.io (I don't really use that one though!)