The large companies I have worked for tend to PURCHASE supported free software from Red Hat, SuSE, Oracle (even if it's a clone of Red Hat), IBM, etc. Indirectly this means that they end up paying for the development of free software since these open source companies all PAY their employees many of whom write code that gets licensed under the GPL and contributed as open source. All you need to do to verify this it look at the contributions to the kernel or many of the key Linux subsystems to see the bulk of the contributions are coming from RH, SuSE, IBM, etc. (Why do you think SCO sued IBM for copyright infringement for IBM's contributions to the Linux kernel?)
Most companies are not and don't want to be in the software business. Software development isn't even close to what they do. They are quite happy to pay for software that may or may not be open source. If it is open source, they want the same level of support (or better) as they get with their closed source vendors. While they may not be contributing code, they are paying the salaries of people who write open source software as their full time job by buying this support.
The person who claims that open source is failing due to "free riders" and "volunteer maintainers" hasn't looked at how open source development works. Hell, even back when classic programs like awk and grep were developed and circulated in the old Unix community it was through /usr/contrib the bulk of the developers were professional software developers. These programs (and many more) were developed by software professionals who chose to make them available to others rather than sell them (for a variety of reasons).
Yeah, there are a lot of pieces of open source that were developed and are maintained by volunteers. There's nothing wrong with that and, for quite a few years, open source has had fewer errors and has been far higher quality than the equivalent closed source programs. I'm not arguing that the OpenSSL flaw isn't serious. It is and it needs to be fixed but a certain closed source software vendor seems to patch a dozen equivalent flaws each month. I'd hardly call the OpenSSL flaw a reason to condemn the open source development model.