Now I'm not one to go quoting ESR, but it's essentially because FOSS crypto software is widely used and has had a lot of eyeballs on it. Clearly that doesn't grant it immunity from bugs, but given my recent experiences, I'm a lot less trusting of hardware manufacturers to get crypto right.
I'm familiar with the sentiment but there are numerous high profile CVE's in the past decade that persisted in FOSS for long periods despite wide use and many eyes. The only hardware one I'm aware of is the YubiKey.
I think we agree that the many eyes maxim isn't as big of a factor as some might make it out to be, perhaps it's more of a "the devil you know" situation. With hardware there isn't a lot of transparency around the implementations that are used, so it just makes me feel uncertain. I'd rather throw my lot in with OpenSSL and GPG than unknown library X.
Also, it wasn't just Yubico products that were impacted by the vulnerability. It was estimated that 25% of all TPM devices globally were impacted, which adds up to millions of smartcards.
