Can you claim zero remote code vulnerability in linux, despite it being open source?
Having the source is meaningless when it consists of tens or hundreds of millions of lines of code. Back of the envelope calculations indicate that it would take you about 500 years to review 100 million lines of code, provided 8 hours a day are spent on it, every day. And then there's the bootstrapping issue. How can you be sure that the binary components you use to bootstrap the OS (be they executables or just a compiler) actually are secure?
In short, the only security metric that matters for operating systems is "do i trust my vendor?". Having the source doesn't buy you a single bit of security.
If you don't think microsoft can be trusted, I would have to ask why. Granted, in the 90's they had an awful track record, but if I look at the past decade, I see a business that "gets it" when it comes to security.