The problem here is that people have been using the argument that Open Source is better because these issues can't happen "because" of the visibility.
Pretty much anything built by man is subject to errors. That includes source code -- open or closed. Any sane programmer knows this. The difference with open source is that the code is open to the users. Especially in the case of security, correctness is a high priority for many users, and those users can drive the bug-hunt process. As such, bugs tend to get found and fixed (sometimes proactively) faster with Free and Open Source code than with proprietary code.
For companies, on the other hand, security and correctness, in general, is a cost centre. It's often only pursued to the extent to which ignoring it affects profits. If it's considered better for the bottom line to ignore/hide a critical security bug than to fix it, then it may never get fixed. -- "Better for the bottom line" includes being paid to keep a bug open by the NSA/KGB/MOSAD/etc. The well-being of the customer base is only a (indirect) part of the profit calculation.
"Bad for the bottom line." Includes fixing code that you're no longer actively selling -- unless the bug hurts your public image too badly.
That's why, for example, XP is no longer going to be supported -- despite the fact that perhaps hundreds of millions of machines still use it.
Redhat 7.2 isn't officially supported by Red Hat, either -- but despite the fact that the current user base is probably in the range of hundreds or thousands, somebody who considers it critical infrastructure and can't/won't upgrade it can still arrange to get bug fixes because the source is legally available. RedHat isn't the gatekeeper for support the way that Microsoft is for Windows. RedHat is simply the (highly) preferred source of support.