It is....sometimes. The biggest problem with Open Source QA is also one that affects a lot of research, everyone wants to code, nobody wants to be a reviewer/bug fixer.
Look at the HeartBleed bug, there was only one source review before release. There could have been more, but open source suffers from the peer-review paradox: the people with the ability and resources to do thorough reviews are the ones least likely to want to do reviews. Quite simply, there isn't any "glory" in it, and it isn't nearly as much fun as creating new code yourself. Now in big commercial operations, especially web sites, there are large QA departments where everyone has a financial motivation to scrutinize code and find weak spots. Really if companies like Google et. al want to help open source, they shouldn't just contribute code, they should donate their QA team's time and talents to doing really thorough reviews on critical open-source code before it's merged into the main branch.