...I gave a link showing previous attempts to document the claims have failed. You don't even understand your own links, do you? You gave a 2-year old link showing that a particular model of bug-finding doesn't work--not that bug-finding by the public doesn't work. For a more current, but different, model of people finding bugs, I suggest you check out Bugzilla. It's being used at Mozilla, Ximian, Gnome, and NeoOffice, just to name a few.
You merely pointed out a business model that didn't work out.
Where does Bugzilla quantify who exactly is looking, how frequently they are looking, and what did they find both good and bad? It looks to me like nothing more than a huge bulletin board with random posts of bugs, take a look at the bugzilla apache site.
http://issues.apache.org/bugzilla/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=&content=
The naked eye indicates 90+% of the inputs for apache are by apache personnel. How is this supposedly proving that there is many good eyes outside of the original development group? Isn't that a tremendously small group of people considering how widespread that software is used?
Shouldn't there be lots and lots of other "good eyes" reviewing that code for vulnerabilities? But right now it looks pretty convincingly like good eyes = ~original dev team, and nothing more.