What are you suggesting? "Many eyeballs" translates into instantaneous discovery? How long did the WMF vulnerabilty exist before discovery? Hint: It was much longer than two years.
Actually, my point is quite simple - KDE, like most OSS projects, has a dedicated core of developers who do the vast, vast majority of coding for the project. The chances of someone outside this inner core of developers actually sitting down with the code and looking for bugs are basically non-existent. The projects are too large and too complicated for dillettantes to have much of an impact - the amount of work needed to familiarize yourself with the codebase in order to make meaningful contributions pretty much bars folks from simply dipping in and shotgunning some bug fixes into place. So, effectively, the "many eyeballs" paradigm is simply an illusion in most cases. It sounds nice in theory, but it doesn't really exist in reality.
"What are you suggesting? "Many eyeballs" translates into instantaneous discovery?"
Sure, because that is the value point the Open Source crowd claims of having "Many eyeballs".