OSS groups release security fixes, they are applauded for caring about people's safety and security.
Microsoft releases security fixes, they are appaled that they would let such a problem exist.
They often engage the community in totally different ways. The OSS groups often disclose vulnerabilities, workarounds, and print advisories very early --- they are honest and alert about the threat early.
Closed source OS vendors avoid publishing anything until they have a fix.
Closed source OS vendors have been known to refuse to acknowledge a vulnerability or provide a fix, because there's no exploit code, or because it's just a local vulnerability, or just a harmless DoS or resource exhaustion condition that can be caused.
Closed source OS vendors have been known to attempt to "steal credit" for vulnerabilities or mitigations from researchers who discovered them,
for example by patenting ICMP mitigations. -- See Fernando Gont/ICMP mitigations article
The open source products often have a smaller "window of vulnerability"; that is, time between reporting of the issue, and time that a patch is available to those who need it.
The OSS groups don't generally give "special heads up" to large corporations and government security agencies and other organizations, including exploit code,
with an imposed delay period before announcing to the public.
The OSS groups often have vulnerabilities fixed before there is an exploit in wide circulation.
Closed source vendors often have malware in circulation, long before remote code exec vulns are patched, AND
due to the fact that they are lackadaisical about reporting security issues to the public and rapidly providing fixes.