How many people do the security code review with this process? How do they avoid piling dozens of well hidden holes when you not use a library that is publicly available and seen by thousands of eyes?

Isn’t the best argument for open source code that it has so many people, most companies can not afford such a global quality assurance.