Recently a serious, long-standing vulnerability was discovered in the Linux kernel. The vulnerability had existed since 2017. It was severe enough that a bad actor could have acquired complete control of a system.
Much was made of this, haters saying that the whole notion of open-source software was flawed, because despite the number of eyes potentially discovering the flaw, it had existed for ten years. Therefore, they said, open-source doesn’t work.
I agree that there was a problem. Despite all the many eyes which could have spotted the bug, no one did. Such a serious vulnerability, existing for such a long time, is worrisome. But it’s not actually a reflection on any deficiency of open source.
The reason we know about this vulnerability at all is because the software was open-source. Ultimately it was someone examining the code who spotted the problem and alerted the kernel developers. A fix was made immediately.
What the haters overlook is that we have no idea what sorts of vulnerabilities exist in proprietary software. No one is going to find them, because they don’t have access to the source code. It’s not that open source has more bugs; it’s that bugs are more readily identified and publicized. Proprietary software isn’t subjected to as much review, so there is less news of any bugs. That does not mean there are fewer bugs; just that they don’t get as much publicity..