Someone should be auditing Apache and Linux, and it had better be the vendors making the cash off it. If Red Hat and the others aren't reviewing the code base regularly, I want to know what my support contract's paying for. I should receive an assurance that the system has been audited for most known vulnerabilities, and every patch should have eyes on it (besides the maintainer's) that look for obvious things (buffer overflows, SQL injection vulnerabilities) and oddness (the nightmare of a multi-patch Easter Egg full of badness from a malicious source).
That last bit is one of the things I have to fight most when recommending Open Source to non-techies. I've had them talk about the Jurassic Park scenario, where someone embeds lots of littls things in the code and then they know how to trigger a catastrophic reaction. The easy security vulnerabilities are treatable with monitoring and audits - it's an order of magnitude harder to audit a whole change trail.