The number of long-running bugs which have been found in popular open source projects suggests that “many eyes make all bugs shallow” should be remembered as an amusing bit of 90s trivia like Swatch Internet Time.
What seems to matter more is how many auditors are actually digging in and how aggressively secure coding practices are applied. It certainly doesn’t seem like there’s a big difference between the two in terms of security but Android has more people using old software because their manufacturer didn’t want to ship an update.
If something isn't being actively attacked, penetrated, scoured over, delved into, fuzzed, and poked at by MULTIPLE EXPERTS IN THE FIELD, you should assume it has several completely bypassing security vulnerabilities.
“many eyes make all bugs shallow” should have always been seen as horse shit. It has the same level of evidence as other linuxy "truisms" like "worse is better" and "everything as text or a file is best"
Heartbleed and shellshock sat right in public eye for quite some time, but it turns out nobody was watching.
What seems to matter more is how many auditors are actually digging in and how aggressively secure coding practices are applied. It certainly doesn’t seem like there’s a big difference between the two in terms of security but Android has more people using old software because their manufacturer didn’t want to ship an update.