that's true, but, to be fair, it might be easier to order an anti-hacker CIA background check for a contracted company of 100+ employees, than for a 10,000 pseudo-anonymous github users.
Yeah, but how often do you perfom that check? In the end it is all about the code and whether it can be checked.
And I have to say my personal confidence in the quality of governmental code is higher if it is open source than if it wasn't — because I know some pretty paranoid people who would for sure check that could better than any contractor ever would.
