The huge problem with OSS is that if no one takes the responsibility to do a good code audit for a project, the NSA will do that independently, file the found exploits, and tell nobody.
Of course, the flip side is that if you *want* to do a good code audit for software you're using, you can do it on your own with open source software (and you can review code changes in patches before applying them). However, with closed source software, you can (usually) only take the word of the closed source company and have to trust that they haven't purposely inserted back doors into the code.
And once one company does the audit, they can share it with others (or a group of companies could share the costs of the audit), and all users, no matter how large or small, can validate that the code they are running matches the audited code.
Of course, an audit isn't a guarantee of finding a bug (which is just as true for closed source software as it is for open source software), but at least with open source code, a company that finds a bug can choose to fix it immediately without waiting for it to filter through a large company's release process.