The other way to hide the backdoor is to make it a hard to find bug. Plausible deniability is quite high.
Reading a huge codebase is an unlikely way to spot backdoors anyway. After a few thousand lines the reader's eyes would glaze over, and anything subtle would be missed. This isn't as easy as looking for two-digit year fields a la Y2K reviews.
Besides, the Heartbleed bug should have been a clue that open source alone doesn't make security issues "transparent". Somebody has to both read and understand the code to detect these things, and an OS like WIndows is so huge that nobody can understand the whole thing. Even a relatively small, specialized module like OpenSSL slid by for years without anybody noticing the problem.