Depends on the company. They can also disappear leaving you without support, decide to abandon the product as non-strategic, or ask you to upgrade when you don't need to.
Which FOSS project you adopt is equally important. A while ago I was looking for a simple FOSS file upload utility, I found one, installed it, read through the sourceforge site, used it for a good year. Then when somebody was looking for a similar utility, I searched for the utility and found a 5 year old CVE which allowed arbitrary files to be overwritten. The project was still being actively downloaded and there was no mention of it in the forum. I tested my site, found myself vulnerable, and notified the maintainer... no response.
In hindsight, the vulnerability in the code was glaringly obvious. I *assumed* that a popular project would use basic input validation, or would update the code when a CVE is released... but no.
Just because there are no patches, negative comments in the forums, and it's a popular project doesn't mean that here's not a major, *glaring*, well-known vulnerability.
Same applies for closed source I suppose, but if the company is active, there's an incentive to disclose major vulnerabilities to subscribed customers, else they could be sued out of existence.