Most people never review source code, and they certainly don't disassemble and review all the binaries. 'Many eyes' is a security fallacy in cases like this.
Debian, which is much better known and in much wider circulation than Tails generated weak SSH keys for two years. Yes, it was indeed very big news. When it was found. After two years.
Oh, and tin-foil-hat on: Do we know (actually know-know, not just assume, think, trust) that the weakness wasn't planted there?
Tails is a Linux distribution aimed at privacy and anonymity.
(https://tails.boum.org/)