It isn't the openness of code that makes bugs shallow. In fact, as I remember the original quote, it went something like: 'given enough eyes, all bugs are shallow'.
It has nothing to do with the state of the code and everything to do with how many people are analysing the code.
With open source, the opportunity exists for many more people to examine the code and discover the faults, and that increases hugely with the popularity of the software and its development. With closed-source development, only the people authorised to see the code will examine it.
So the number of lines of code (x) divided by the number of developers looking at it (y) gives the real "shallowness" value. As x:y decreases, more faults tend to be discovered in a given time period. (This does not account for the complexity of the faults, obviously.)
A popular open-source project will be much more likely to have a lower x:y ratio than a comparable closed-source project, even if for no other reason than it is in the company's best interest to increase x:y for profit.
What's more, not only are faults found more easily with more eyes, but the fixes for those faults are also more easily written and applied with more minds working on it.
I hope this helps explain the 'REALITY' you speak of a bit better to you. There is real security value in open-source software.