Unless domain experts are constantly auditing
I read this fallacy every time when someone wants to downplay the importance of open source code... every
It's simply not true. (First part of famous quote here:) Given enough eyeballs...
First of all there are the software designers/programmers that actually lay out the structure and write the code. Unless they are 'in to the conspiracy' do you think any of them just write code and then 'throw it into the world and let it be'? There is quite a chance they'll notice when someone is tampering with their work. And for the distribution chain to the 'end user' we have MD5. Only one person has to notice a discrepancy there and make a fuzz about it.
Then, when a project becomes more widely used, there will be domain experts looking at the sources, either because they are curious about it because they are working on something similar or there are financial incentives to do so (paid-for support... open source doesn't mean there is no way to earn money with it).
And then, there is the problem for the 'attacker' of leaving an actual trail that can lead back to them, which is orders of magnitudes more likely to happen when the source is hosted openly on well-known OSS support websites, than when it's 'securely' stored on some supposedly air-gapped secret server at big company Y. 'Everyone' (if the OSS website opts in for full disclosure) can even use source-code forensics on the style of code underlying the exploit, if necessary and check commit logs and all kinds of secondary resources for traces of how the exploit came to be. Try that in a corporate setting.
Only thing closed source has over OSS is security by obscurity. And that's the proverbial worst security of all.
And this is fact: Unless 'the' closed-source software creator has a very generous 'eyeballs here please, we pay you big $$$, oh and here is the source tyvm with proper NDA of course', no-one but, maybe, that creator itself will notice when something is wrong....
Until some security expert/bughunter finally binary-fuzzes a backdoor/major exploit into action (which, on the chance of over-repeating my point, is a lot harder to do with assembly only information vs. full sources), resulting in big scandalous news posts on tech websites where all 'nerds' can oooh and ahhh over it... either that or the exploit will be sold on to the highest bidder in 'chussiastan' where it will remain hidden until security researcher X notices weird processes on or strange network packets flowing into their honey pots. All in all a much more tedious process.