But the effectiveness of this kind of 'sploit, like every other kind, is limited by the diversity of implementations out there. There is no mother of all protocol compilers that could have been infected with a trojan, and that one could use to bring down all networks. Nor is there any other one-size-fits-all exploit, nor even a manageable collection of them that any group short of an NSA or GCHQ type government agency could possibly make any practical use of.
But source-code auditing isn't a panacea. For one thing, an insider can change the code after it's been audited. For another, the backdoor could be inserted in an obscure way that might survive an audit. Also, the audit process could itself have been compromised, although that's less likely.
I think there are risks from worms which can systematically look for the unusual vulnerabilities [for instance, an infrastructure-support computer that a careless person has left attached to the Internet, or a computer that somebody with security clearances uses at home and which might have revealing, even if non-classified, information on it]. Such worms can install backdoors and keystroke loggers. A worm could also simply be used to take over large numbers of ordinary machines on the Internet, causing economic disruption if done on a large enough scale.
Moreover, password security is often quite poor, and keystroke loggers make the password situation worse. People often use the same passwords on multiple machines, for convenience; what can ensure that they don't use the same password on a critical or classified machine that they use on a regular (easily-compromised) machine on the Intenet? Of course, the terrorists would still have to get access to the critical machine being attacked, but still....
We know that the various secret U.S. government services have been infiltrated by moles over the years. Nuclear secrets have been stolen. People find it believable that anthrax may have been stolen from the U.S. biowarfare facility at Ft. Detrick. With this kind of track record, I would assume that a determined enemy could gain access to machines with classified information or to machines controlling various devices, in an inside job.
Finally, the effect of a denial-of-service attack in conjunction with a physical attack, disrupting emergency responses, shouldn't be underestimated.