Vulnerabilities exist in every piece of complex software. Open source means that when a something is found, it'll be patched and pushed out quickly because there is no secrecy and everybody just wants it to get done. In commercial, closed source software, the infectives are different. Companies world rather spend their time on money making activities that supporting their old stuff. And they're scared of reputational damage, so they're more likely to sweep things under the rug. Generally, i trust open source software far more.