That may be true, but we have not yet discovered how to make a system that is truly, 100%, absolutely guaranteed secure. That means real world security is all about risk management: what risks can we identify, and what can we do to mitigate them?
Unless you are capable of building literally everything you need, from the most basic hardware components or the first line of code on up, at some point you will come to a decision between trusting some partner organisation and its staff to do what they say and looking elsewhere. And if you really need something big and you can't build it yourself, there are probably only so many potential partners to work with before you run out of options.
So, maybe no amount of assurances from Microsoft would reassure you, but if you're in charge of a hypothetical multi-year, multi-billion dollar R&D programme and you need a desktop OS to run your software on, who would you allow to reassure you? Apple? The Debian security team? A few hundred specialist developers you just hired to build you something from scratch on top of FreeBSD?