My point was that you don't actually know, and you don't technically need all the vendors. Just the big ones, and there's not really that many. Even more to the point, you don't even need all of the big ones, just the ones on the biggest network, which honestly probably just one vendor on the whole network due to volume purchase discounts and interoperability concerns.
But more to the point, you don't know what's going on in closed source code. It's trust. However the trust can, and has been violated in the past (whether by the provider or by a third party is immaterial). You just don't know. Now that doesn't mean that open source software is immune. I seem to remember there was a backdoor found in the Linux kernel a few years ago. These things happen, but at least it's easier to audit.
But more to the point, you don't know what's going on in closed source code. It's trust. However the trust can, and has been violated in the past (whether by the provider or by a third party is immaterial). You just don't know. Now that doesn't mean that open source software is immune. I seem to remember there was a backdoor found in the Linux kernel a few years ago. These things happen, but at least it's easier to audit.