Sadly open source isn’t invulnerable to security bugs either, even with source code seen by hundreds of eyes. A Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping since 2005:
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.
However, fixes have started rolling out already.