With open-source software, a monoculture isn't that bad a thing, as the Heartbleed exploit has shown.
Heartbleed showed that a monoculture, particularly one relying on poorly written and barely reviewed code is a bad thing. OSS or not. That the source code was fixed so easily just highlights to me how the heartbeat feature it was never properly reviewed or tested, and how people using openssl or incorporating it into their products never questioned it. The many eyes argument fails when you realize how few qualified programmers looked at the code. Given how wide spread openssl is, getting that fix rolled out to all the s/w and h/w that have it embedded is a nightmare. Just think of the Billions being spent to audit and test across enterprise networks, and update all that software.
Sure openssl will get more scrutiny for a while, but it doesn't fix the underlying fallacy that OSS automatically means quality code regardless of whether its commercial, free, or otherwise licensed. Or that OSS projects quite often have a shoestring budget, lower quality programmers, and less far less review than closed, proprietary software.