As such I wouldn't hold much faith that just because Cyanogenmod is open that suddenly it's more secure than a proprietary product. It might be and open source is good for a raft of reasons, but I suspect anyone who wanted to throw an exploit could still bury it in plain sight if they wished.
No, indeed. Being opensource doesn't make CyanogenMod automagically secure. GPL and BSD license, aren't magic pixie dust, per se.
BUT being opensource at least make it 100% possible to audit CyanogenMod (unlike say, iOS. Even if you wanted you couldn't audit that one, because its source code is a well guarded secret by Apple).
If you're not content with approach of "let's wait. if there's something evil inside, someone is bound to discover it eventually, some day", YOU CAN DO something about it.
1. Either have a look at the code (if you have the necessary skills yourself).
2. Or you could pay someone to do it. Truecrypt is a nice example that this is possible to do. In fact you could have a good chance of success for crowd funding project for code review of CyanogenMod. This mode is quite popular among people who are more sensitive to control/security/privacy issue. If they are ready to jump through hoops to be sure that their phone runs the OS of their choosing, an OS that they can control and that they could trust, I'm sure some would be ready to set a few bucks aside and pay for crowd-funded project to check and guarantee the source code of CyanogenMod. Specially these days when people are specially made aware of privacy/security problem by the whole Snowden debacle.
Given that CyanogenMod is a critical piece of software (its an OS which lots of people use to run on their phones, and its a derivative of Android, which is the dominant Phone OS. And lots of people want to trust their phone), starting such a crowd-funded audit DOES terribly make sense.
I'm not interested enough to help start the project it self (I don't use Android/CyanogenMod, and I don't trust my phone anyway).
But I would probably give money to such a project.
As a side note: LOL @ our handles being only a few letters appart ( DrYak vs. DrXym, in a HAL / IBM style of letter shift)