15 years ago, when we started the industry of white-hat hackers finding vulns and reporting them, "everyone knew" that open-source was more secure than closed-source because of the "many eyeballs" theory that the many people looking at open-source would find/fix bugs faster than in closed-source products. This was analogous to cryptography, where the only trustworthy crypto algorithms were those widely published and analyzed, and that anybody attempting "security through obscurity" by hiding their crypto algorithm was inevitably found to have made a serious mistake. But things never worked out this way. Open-source has failed to demonstrate any advantage in security. The problem is that while many eyeballs can look at open-source, they don't. Open-source programmers just don't have the incentive. They want to write new code and add new cool features, not try to break old stuff. Conversely, at Microsoft, many eyeballs do look at code. Microsoft pays them to, then pays other programers to attack the code with fuzzers and static analyzers. PHP may be more popular than Microsoft's ASP/.NET, but more eyeballs have looked at the Microsoft stuff. The recent "cgi-php" vuln is definite proof that the "many eyeballs" theory doesn't work. PHP is one of the most popular bits of code on the web. The vuln was obvious to any eyeballs looking at the code. Yet it sat there undiscovered for 7 years. I'm not saying Microsoft is any better, or that other factors don't exist that make open-source better than closed-source. I'm just saying that the "many eyeballs" theory has been proven false as much as any theory can be proven false. Things slip through the open-source development process that even a small number of "eyeballs" should've caught. The putative eyeballs haven't materialized. The days of open-source ideology is over, it's time we judged software on its individual merits, not its origin.
Update: On Twitter, Weev points out bug bounties. I think those are a winner. You can trust Google Chrome or Mozilla Firefox because they pay people to find bugs. This directs eyeballs their way. I trust Chrome over Internet Explorer not because it's open-source, but because they pay people to put eyeballs on it. Thus, the new axis is "bounties vs. no-bounties", not "open-source vs. close-source".
Update: On Twitter, people are pointing out that we ought to "crowd-source" bug-bounties. Is "crowd-sourced" the new "open-source"?
Update:On Twitter, Dan Kaminsky argues that it's not coder eyeballs that makes code secure, but user eyeballs.