People often argue that open source software is much more secure because anybody can review the source code and find problems. That be not possible with closed source software like Windows. A nonsense argument.

Theories are valid until a counter-example is found.

The Debian Linux distribution currently shows a great one. Years ago they "fixed" a random-number generator in the openSSL library. After the fix it generated predictable instead of random numbers. That's almost as bad as it can possible get, because most modern crypto relies on random numbers. If they're predictable, key generated from it are predictable, too.

This security flaw was present for two years(!) in a widely used software package on one of the most popular Linux distributions. And nobody found it until a few days ago. And what make this much more worth than it already sounds: It is not sufficient to fix the bug, but you have to recreate all key material which had been made with the flawed Linux versions.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised;

[...]

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections.

If you're interested. Here's what the openSSL guys have to say.

Open source software is not secure per se. You need to define a development process which honors security from the very first moment until the product's end of life. You follow it, i.e. everybody involved in designing, developing, testing and supporting it, needs to follow it. And you have to adapt the process continuously because the bad guys are adapting, too.

Unfortunately not many companies have such a process today. And for open source software it's probably much more difficult to establish one.