The thief knows what would happen if he's caught.
He's point, I think, is not about less or more secure. either is as likly to incroporate bugs a the other. It is about the chances of finding a vulnerability and the time it takes to fix it.
With open source, If you happen (or know someone) find a vulnerability chancesa re you can fix it right a way, report/submit a patch. As for a closed source, all you can do is report and wait (slashdot is full of articles about that).
if there's a choice between blaming someone for a problem and avoiding the problem, avoiding (when possible) is always the winner strategy.