There was a
recent article about the myth of open-source security. While all well and good, I have some thoughts of my own.
One factor that wasn't accounted for was the "trust" factor. It's no secret that I do not trust MICROS~1 with security, or TO be secure, or even to adequately repair a given security hole. On the other hand, I can generally trust the software whose source is available to have holes discovered, repaired, and reported in a reasonable timeframe.
Yes, it's a perception. Since perceptions aren't empirical, I can understand why it had no place in what was geared up as a scientific experiment. But this perception forms my "reality" with regards to the overall security of a product.
First-hand evaluation of said product will either confirm or refute my perception. No biggie.
On a related note, no matter which product one uses, they must be vigilant in ensuring that the product is secure. They must actively look for reports of holes, apply fixes, and verify that the threat no longer exists, and do this all in a reasonable timeframe.
The numbers don't mean a damned thing to me. The ability to track, fix, and verify the security of a product, however, does matter.