Guess the old replies to that of "oh, but it's open source! Anyone can see the code...so there's no need for security because the OS is secure because anyone can see the code! See? Any bugs and they're fixed in like hours. Don't worry!"

At least that's what I used to hear all the time. We've now seen that was hogwash.