You have it exactly 180o backwards. At the SANS Institute courses and seminars, the instructors stress that open source has extremely STRONG advantages over closed source security wise, and they gave multiple examples where that was the case in the area of cryptography.
In order for a cryptographic algorithm to be accepted, it MUST be open source, and there are prizes offered to whoever can detect flaws in it and break it. The actual code that breaks the algorithm MUST be published as well...
If obscurity is the only security method employed, an application (or OS) isn't going to be secure. But it doesn't naturally follow that an application's obscurity makes it insecure. Just as OSS's openness doesn't make it secure.
IMO, MS's security problems have traditionally related to the following:
1. Trusting user input too much, resulting in a buffer overrun vulnerabilities
2. "Everything runs as root", resulting in small breaches becoming major breaches.
3. A largely untrained user base.
The fixes, that I've followed over the past few years, looked this way to me...
1. MS's software (like most closed-source and open-source software), had plenty of problems with buffer overrun vulnerabilities. Programmer training is the best way to stop these problems. It doesn't matter how many eyes are reviewing a program if they don't know what to look out for.
2. Windows2000 and WindowsXP are set up with multiple privilege levels for users, processes, and files... much like UNIX.
3. The OS vendor only has limited control here... but turning off unnecessary features and setting strong security defaults in Windows2000/XP/MSIE/Outlook helps. Linux hasn't suffered from this much, since its difficult user interface keeps the riff-raff away.
Regarding your point about the openness of encryption... To my knowledge, MS uses industry-standard encryption algorithms. They have not implemented their own 'obscure' encryption algorithms. If you have evidence otherwise, please post.
While I won't deny that cryptography is (apparently) currently successful with their peer review process, in general crytographic algorithms are relatively small amounts of code that can be sufficiently analyzed by a large group of engineers.
However, you cannot compare that overall tiny process when compared to the millions of lines of code currently contained in Linux operating systems, especially considering the vast number of flavors currently available.
Just because a small cup of water can be easily microanalyzed, does not mean a large lake or ocean can be analyzed to anywhere near the same level of thoroughness.