The debate is misidentified as "open source is more secure than closed source." It should be, "open review is more secure than closed review."
Closed source could be just as secure-- if it were constantly scrutinized by tens of thousands of eyes over its lifetime, as open source is afforded through the process of open review. Sadly, that is not viable to closed source. Open review of closed source is logically not possible, and most shops could not literally afford so many eyes to perform an in-house review. Not to mention that few people would ever be granted access to the entire code base, for the well-placed fear of losing the code to a rogue agent.
To aggravate matters, closed source almost always drives a commercial engine, one that must worry about the bottom dollar, one that cannot linger on the unfinished 5% of the project, the 5% that would consume 95% of the project's costs. The dollar eventually kicks in and demands work be completed or curtailed. All software projects follow a rule of diminishing returns. Open source has the advantage of hundreds or thousands of developers, far more than would be assigned to a similar sized project if any expected a paycheck, all entering the project at different stages of its lifetime, and for different reasons. There is a great deal of overlap, but labor of review is distributed far wider than even Microsoft could afford. And often this is done not on the clock but rather for the love of programming.
Slightly off-topic, what do you say about our closed source jobs being handed over to India and China? How do we know some red Chinaman hasn't cunningly inserted a backdoor deliberately engineered into some complex set of conditions, something unlikely to be seen the first several hundred times reviewed? Open review, with hundreds or thousands of eyes, would be more likely to catch such a deception.
Thanks for your reply, although I am not the age of a boy as greeting in your post seems to indicate. I have been deeply involved in computer systems for over 20 years, and graduated as an EE at the top of my class, even serving as chairman of our IEEE branch my senior year. I now provide overall configuration management of a large scale network consisting of thousands of systems, which were originally various flavors of UNIX and VMS, which slowly migrated towards PCs through the use of Pathworks and NetWare, and eventually reaching our current end state of UNIX and Windows. My home experiences include multiple Tandy and Apple computers, as well as IBM type PC's. I have been very polite in my responses to you and respectfully request the same.
In your response, you didn't seem to address the question I originally posed about how your model in any way assures there are more "good" people than "bad" people looking over your totally exposed code. This relationship is extremely important, especially as the code size begins to grow in size and evolve in complexity, and if you ever exceed a critical mass point of more holes being found than your volunteer force can support, you theoretically will never be able to catch up.
Concerning the possibility of unorganized coders from around the world being able to successfully outproduce the best that Microsoft has to offer, all I can offer is my opinion that it doesn't seem to be happening, the Linux operating system still seems rough around the user edges and has few applications to go with it. And as soon as Linux began to demonstrate some full robustness, now we hear claims that the high end capability was likely stolen from UNIX, and not developed by the OSS crowd at all.
Concerning the outsourcing of jobs to China etc, I sincerely doubt those positions are going to be developing core operating system components etc. Many of those positions are actually going to be manufacturing (shrink wrap), disk pressing, and even marketeers needed to start actually regaining some licensing costs from all the Chinese/Indians who are illegally copying their wares. There will certainly be some software engineering going on, but it will very likely be more 'testing' or other mundane roles, not cutting edge micro-kernel upgrade improvements.
Thanks again for your message, and I look forward to discussing any item of your choosing in the future. Goodnight to All.