Assuming that the "independent security researchers" were being paid to do it by someone with wholly good intentions, sure.
But lots of open-source software have giant vulnerabilities sitting around for years because no one skilled in the art has done the drudge work of going through the code looking for bugs. High-status projects like OpenSSL or qmail will always have a sufficiently large community of researchers constantly combing over them, but the assumption of "well, it's open-source, so someone must have looked through it for security holes" self-fails because everyone assumes someone else did the hard work and often no one does.
And if "people looking through the code for exploits" is the measure of a secure code-base, then Windows is the most secure platform ever. Vast numbers of very very qualified (read: expensive) people have looked through that source code specifically to find security holes.
What exactly is your argument? That closed-source is more secure than open-source, because there are no 'guarantees' that the open-source project gets the security audit it needs?
Hogwash.
There is no guarantee that just because something is closed-source, its going to be 'safer' or necessarily 'more secure'.
Billion-dollar security industries have risen because Microsoft won't/can't fix its bugs.
You might wish I had said that closed-source was more secure than open-source, but I didn't say that.
However, I am pointing out that the argument of "open-source is more secure because lots of security researchers worked hard to find all the bugs" necessarily leads to the conclusion that Windows is the most secure thing ever. Armies of people have looked at that, both internally and externally.
I also said nothing whatsoever about "guarantees." But the idea that the very expensive labor needed to look through a code-base for vulnerabilities somehow shows up for free merely because a project is open-source is deeply flawed.
I did not claim that Windows was the most secure thing ever. I was just giving the logical result of "the most audited code is the most secure code."
Yes, lots of people have looked at the Linux kernel. Looking at something doesn't make it more secure. In fact, Linus has to spend some of his time dealing with assholes who decide the best way to submit pull requests is by making petitions on change.org to get Linux to change its RNG.
If right now a thousand PHP developers decided to look at qmail's source to look for bugs, djb would just think "oh shit, now I have to deal with that today." You need people highly skilled in the art. The most high profile open-source projects can muster that for free, but by definition most open source projects cannot be the most high profile.
You know those are Eric Raymond's words, not Linus's, right?
I didn't say that closed-source was more secure. I did, however, point out the problems with the statement open-source is more secure because it's more audited. Those problems are 1: if "auditing" is the measure of security, then Windows wins everything, hands down, game over, everyone else go home; and 2: you are assuming that the expensive labor is showing up for free. They will for some projects, but not for most.
(Also, lots of security bugs aren't because there have been insufficient eyeballs looking at a problem, but because the eyeballs looking at the problem are insufficiently skilled.)
I'm not entirely certain on what metric you are using to say Windows is more secure because it has had more eyeballs. I would assume the fair metric is eyeball hours per line of code, which I would assume is much lower for Windows than for Linux. There are probably many parts of the Windows codebase that, once written and demonstrated to be working, have probably not received any real attention since. With Linux and other popular open-source programs, their lines of code have probably been reviewed by every serious senior software engineer that have decided to get involved in those codebases for one reason or another.
There is no reason to think that the eyeballs looking at the Windows source code (i.e. Microsoft employees) are any more skilled than those in the open source community looking over Linux source code. There are probably many parts of the Windows codebase that was written by junior engineers, given the OK by a senior engineer if the code worked and didn't look obviously broken. Much of that code probably hasn't been combed over since because it would only be combed over by the few people that have access to it and the fewer still number of people who have both access and a reason to comb over it because it's part of a task they are currently assigned to work on.
But lots of open-source software have giant vulnerabilities sitting around for years because no one skilled in the art has done the drudge work of going through the code looking for bugs. High-status projects like OpenSSL or qmail will always have a sufficiently large community of researchers constantly combing over them, but the assumption of "well, it's open-source, so someone must have looked through it for security holes" self-fails because everyone assumes someone else did the hard work and often no one does.
And if "people looking through the code for exploits" is the measure of a secure code-base, then Windows is the most secure platform ever. Vast numbers of very very qualified (read: expensive) people have looked through that source code specifically to find security holes.