You seriously think that black hats bother with reading millions of lines of code in the hope of finding an exploit when all they have to do is play with the data sent to services/applications and see if it misbehaves. Which is why exploits are equally found among closed and open softwares.
This is true, and exactly how this was found by Codenomicon. Having access to the source code actually makes it far easier to turn the bad behavior into a working exploit, particularly for something like buffer overflows. Although in this case, there wasn't much work needed as the bad behavior was returning the contents of memory in response to a bad parameter.