There is still yet another reason to trust OpenSource code, risk of being exposed. If you're the NSA, and you're inserting illicit code into Open Source, then you're at a very high risk of being exposed as a mole. This risk, being a known mole is too high for a "real" spy. If I were a spy agency, I wouldn't risk any assets for such a short term gain. Once exposed, a mole will have no trustworthiness AND all associations would likely become suspect. Basically, you're risking the whole operation on the assumption nobody is looking for you and therefore you won't be discovered.
Further, if I was the NSA, I would be looking at the raw code, looking for backdoors inserted by other agencies (Russian, Chinese, Israeli, Canadians), and I would assume that these other countries would be doing the exact same thing.
Combined with the above, these two assumptions (risk of exposure, looking for compromises) is sufficient to take the approach that the code is not likely compromised on purpose. This is not to say, that there are no risks, just that they aren't likely to be intentional.