That is because millions of eyes doesn't mean all those eyes are qualified to spot flaws.
"Just because you have a critical mass of people reviewing the code, are they qualified to do so?" asked Aaron Tantleff, a partner at Foley & Lardner. "There are no credentials to speak of, or certification that can be given to code reviewed by the open source community."
That is McAleavey's view as well. "Just because the source code is there doesn't mean that all of those eyeballs understand what the code actually does, or does incorrectly," he said.
And even if flaws are spotted and patches created, that doesn't guarantee they will be installed in every device or system that could be affected.
Tantleff said recent history is proof. "One need not look back very far to find examples of the risk of open source in one's environment," he said. "Park 'n Fly and OneStopParking.com suffered from attacks due to an open-sourced based security vulnerability that existed in the Joomla content management platform.
"A security patch had been issued well before the attack, but unfortunately the patch was never installed," he said.
McAleavey, who said he started working with Linux, one of the most popular open-source operating systems, when it came on the scene more than 20 years ago, said this problem exists largely because open source tends to exist as, "two separate entities."
In the case of Linux, "there is the 'kernel team,' which is the primary operating system itself, and then there are 'application maintainers,'" he said.
"Any changes to the Linux kernel itself still has to be approved by Linux (creator Linus Torvalds) personally or through one of his handful of trusted kernel maintainers. They, and only they, determine what happens to the core kernel OS itself," he said.
"But they have no interest whatsoever in what happens among the literally thousands of other open-source developers who maintain a single application or 'package' — also known as 'distros' or 'distributions' — of Linux. They're pretty much on their own."
That, he said, has led to "absolute anarchy in userland. And that's not good for stability or security. No one is in charge."
Los said closed-source software is "just as susceptible to being 'abandoned' as open source," but noted that the incentive to maintain and update commercial or proprietary software is there, "if the vendor truly cares for their product quality."
But, like McAleavey, Los said open-source components used in commercial applications, "are a massive problem, primarily because they're forgotten. Take, for instance, the OpenSSL library and the issues that popped up when a series of major flaws were discovered in it. Open-source and commercial software alike fell victim to the dire need to patch, but where OpenSSL was used in commercial applications, many of the end users simply weren't aware that it was there and so didn't know it needed to be patched."
Sign up for CIO Asia eNewsletters.