Yes, exactly. (My day job is static analysis)
"Many Eyes" are great for identifying and fixing the broken build... but have no good track record for monitoring security design and implementation flaws.
For security infrastructure critical code, the available tools should be coming up spot clean. This is absolutely not the case with Openssl.