Trusting closed-source applications over open-source sounds odd. Security by obscurity is not desirable. What you said about open-source, everyone can read it, is a strength not a weakness.
As long as there is programming there are bugs. We can't prove correctness of all programs by writing purely functional code. Having more eyes on the same code is more likely to expose these bugs. The caveat is that everyone hopes someone else has checked the code. But I don't see how using closed-source application would solve this issue.
That's exactly it. When a startup is just starting, the bugs can be exposed and exploited. Someone's got to fix them. Not every project is huge like linux and webkit. Yes, the mantra is with enough eyes, all bugs are shallow, but in the meantime anything that could be exploited would be exploited, if the network becomes big. The effort to result ratio would be small.
Security by obscurity can be better than exposing all your code to the world where any hacked can compromise the whole network, BEFORE the fix is patched.
And even with open source, would I trust a random small host to secure it better than google? Look at all the android vendors that don't even install the latest patches.
Fuzzing systems find exploits quite effectively in systems that are only available as binaries or APIs. SBO only really works if you're obscure in the sense that hardly anyone is using the system.
As long as there is programming there are bugs. We can't prove correctness of all programs by writing purely functional code. Having more eyes on the same code is more likely to expose these bugs. The caveat is that everyone hopes someone else has checked the code. But I don't see how using closed-source application would solve this issue.