You seriously think that black hats bother with reading millions of lines of code in the hope of finding an exploit when all they have to do is play with the data sent to services/applications and see if it misbehaves. Which is why exploits are equally found among closed and open softwares.
Generally I still think that open source projects have an advantage over closed source because there are more eyes on the code in a FOSS project. That being said shit does and will happen and unfortunately even in open source projects sometimes a whole lot of shit manages to pile up before it finally hits the fan which of course then results in a particularly big and very stinky mess like Heartbleed. What the OpenSSL team seems to have failed to do is to perform a really serious amount of destructive testing on their library which, as you pointed out is essentially what black hats do to find these kinds of vulnerabilities anyway. This is not surprising since quality assurance and testing seems to be a bit of a poor relations many FOSS projects just like it is in the closed source community. Another thing I'd try if I was a black hat is to run some kind of static code analyser on the codebase that can identify this kind of problem so that might be another thing the OpenSSL team can try if they aren't doing it already. Finally, when something is as widely used and fundamental to the workings of the internet and online commerce as OpenSSL is one would expect that perhaps some of the big beneficiaries of the OpenSSL project like Google, Apple, Amazon, Facebook etc. could foot the bill to do some suitably paranoid amount of quality assurance on it and other such FOSS projects. After all it's not like any of them is short of cash now is it and maybe these corporations could invest some of that cash they avoid paying in taxes to make everybody's digital lives a little safer by offering bounties for OpenSSL bugs? (...and yes, I know that expecting corporations to show communal responsibility is a long shot but hope springs eternal)