I actually agree there is no intrinsic advantage in having this piece of software as opensource - closed teams tend to have a more contained collaborator "blast radius", and you don't have 500 forks with patches that may modify behaviour in a subtle way and that are somehow conflated with the original project.
On the other hand, anyone serious about malware development already has "the actual source code", either for defensive operations and offensive operations.
Open source doesn't mean the bazzar, plenty of projects have a cathedral style development.
Bazzar works absolutely fine for security, Linux kernel is one project which does this , all security infrastructure uses it one way or another. The tens of thousands of patches and forks has not once been discovered to have the subtle bug/vulnerability scenario intentionally submitted yet in 30 years .
There seems to be a lot of misconceptions in this thread what open source is or can do. Most of my points have been made by people much better than me for decades now.
On the other hand, anyone serious about malware development already has "the actual source code", either for defensive operations and offensive operations.