But open source has its own history of major security flaws, particularly the last two years.

I would be curious to know what % of security flaws are discovered because exploited vs as a result of a code review.