Bob makes some software and releases it open source as is.
Company X, is considering using Bob's software to release medical device Y. If the cost of developing Bob's software in house > risks of using Bob's software then they can chose to use Bob's software. They can also audit Bob's software release a patch, and then use that version saving money and reducing risks.
Note, it's Company X not Bob that's taking on liability but Company X also get's profit from selling device Y.
The open source definition actually requires allowing that. Some but not all licenses force you to keep the open source license for any changes you make and distribute to the original. However, this doesn't mean giving away the hardware for free, only the software.
No, your cellphone for example probably has open source code.
A common restriction is to release the source code when distributing the software. But, that's not really an issue with medical devices as there is a physical device not just software involved.
As others have pointed out, open-source software is not necessarily non-commercial. Open-source software can be sold for any dollar amount the author sees fit. The author simply must furnish a copy of the source upon request from any recipient of the binary, and cannot charge any more than it costs to fill that request.
The commercial breakdown occurs because each recipient also has the right to redistribute the source code and binaries, so Original Author Alice sells to Bob for $100, Bob sells to Charlie for $50, Charlie sells to Dan for $10, and Dan posts it online for everyone to get for free. Even if Dan's site goes offline, someone will create a mirror. Open-source licenses make this perfectly legal. Thus, open-source authors do not have an enduring market for selling their software.
The loophole for commercial OSS companies is usually something called dual-licensing, enabled by the unique "copyleft" provisions first introduced in the GPL.
Copyleft means that the license is infectious. Any code linked against GPL code also becomes GPL. If someone links against code that they cannot legally make GPL or refuses to distribute the linked code under the GPL's terms, they have violated the GPL and could be sued by copyright holders to enforce compliance, stop distribution, and/or seek damages.
This infectious element is why some people and companies are very cautious about the licenses on the open-source projects they use. Some household names have had some close calls by incorporating GPL code without fully understanding the ramifications (and some household names may be in hot water over this soon, as GPL violations are not entirely uncommon).
Copyleft is great for most pure open-source projects since it means that everyone has to share back not just their changes to the software, but also the stuff they build on top of your project. However, because open-source software usually doesn't sell well (as discussed above), it means that people who want to sell their software commercially cannot use any GPL code anywhere in their software -- unless the copyright holder also makes that code available under a non-GPL license that won't infect the linked software.
This allows people who want to use your code as a foundation or library in a commercial package to pay for a commercial, non-infectious license, and it allows people who don't need that to use the GPL version, which requires that their code becomes free too.
Dual-licensing is the way that many open-source software companies have survived and tried to harness the best of both worlds. TrollTech, who made Qt until they were acquired by Nokia (and then spun off after the Microsoft liquidation), is one such company that lived many years off the dual-licensing model.
Company X, is considering using Bob's software to release medical device Y. If the cost of developing Bob's software in house > risks of using Bob's software then they can chose to use Bob's software. They can also audit Bob's software release a patch, and then use that version saving money and reducing risks.
Note, it's Company X not Bob that's taking on liability but Company X also get's profit from selling device Y.