Selection bias — everyone only knows about the bugs that do get caught.

I was one of many who reported a bug in Ubuntu that went un-fixed for years, where the response smelled of nation-state influence: https://bugs.launchpad.net/ubuntu/+bug/1359836

And Log4Shell took about 8 years to notice: https://en.wikipedia.org/wiki/Log4Shell

And we have no idea how many such bugs are lurking in closed-source software.

Thanks for making my point for me.

You've missed my point if you think I've made yours for you.

I'm not saying closed source is a silver bullet.

I'm saying OSS also isn't a silver bullet, it doesn't find everything because there's not enough interest in doing this work.

The Log4j example alone, given it took 8 years, is enough to demonstrate that.

Everything is an illusion of trust, nothing is perfect; all we can do is try to align the interests of those working on projects with the interests of society — which is so hard that it's an entire field of study called "politics".