I think the author is missing (or perhaps just discounting) the fact that not all developers have the same level of competency. Just because someone releases code as free software or open source doesn't mean they have done the work that a more skilled practitioner of the art would do prior to public release. It's not just money that determines code quality, but there are cases in which it can help. Taste in selecting which code and features are accepted by a maintainer will have a huge impact on the resulting security track record of a project.