That argument works both ways. Microsoft has had some very serious security bugs. Therefore, using your logic, all Microsoft software should not now or ever again be trusted. Think Code Red and others. In 1999 on a fully patched NT box you could compromise it with regular HTTP requests to IIS by just using pathnames with dot-dot-backslash and then working your way down the WINDOWS System CMD.EXE and then using it to run TFTP.EXE which was a standard part of the install. You could make the server TFTP down a bad exe from your own server, and then a second carefully crafted Http request to CMD.EXE could execute it for you. Game over.
Microsoft then fixed this by not allowing IIS to accept the dot-dot-backslash business. But you could use percent-sign-hex characters to represent the dot-dot-backslash. Microsoft then fixed that in IIS, but the filesystem would still accept the percent-hex-code characters. So you could double-escape them to get the filesystem to walk you to the CMD.EXE. Eventually they got this right and it was fixed. But there were many other holes. And who's stupid idea was it to run a server process, basically with root privileges?
I could go on. Even recently there was a major IE vulnerability that affected current and past versions.
Heartbleed was one instance of a lapse in security.