Even if it's fully open, with 0 binary blobs. How many qualified specialists, with serious math background, do you think are out there looking through complex encryption functions checking through flaws in math? Ever heard of Obfuscated C Code Contests? Openness of the code does not guarantee absence of backdoors even if the code does get a lot of eyeballs looking at it.
Firstly; if the Obfuscated C Code scares you then I guess you should look up the underhanded C contest. Notice especially the bits where malware is disguised as small programming bugs. When you say "Openness of the code does not guarantee.." you are 100% right. However, don't forget, "the perfect is the enemy of the good". We don't always need a guarantee; sometimes improvement is enough:
1) Given that there have been plenty of discoveries of problems (e.g. just today a flaw in Android's RNG was reported) there must be quite a few people who are checking.
2) All it takes is one person. You don't need to do anything to benefit if I check it for you.
3) There is a vast increase in the risk for the attacker if it's open source;
- their change is likely visible in the version control and can be traced back to them
- it's easy for someone to change their backdoor into a trap
- if they do use the attack to break in it's much easier to track it back to the original programming mistake
4) Security problems tend to happen in generally insecure code. If code is open source you can avoid this:
- by looking to see how the code is written and choosing the software using the best techniques and languages
- by choosing code written by people you feel you can trust and avoiding others
Several of the things I mentioned are things that most people won't do most of the time. Having them as options means that they will be available when you actually really need them.
defenders can spot the hole and