They claimed that if you needed to vett it for specific vulnerabilities, you were capable of doing so
And the song and dance about “open source isn’t more secure” is meaningless, as you don’t care about security the same way in all applications, and the ones trivial enough not to care about are going to be by and large open source
(Assuming their data collection methods were even adequate, as by definition they could only vett the open source half of the claim. We know for a fact that proprietary software routinely buries or hides vulnerabilities unless forced to do otherwise)