Yeah, but.. the only reason this vulnerability was discovered is because OpenSSL is open source.
So the whole open source is inherently more secure comes from Linus's law. But there is an "axiom" that must apply first:
"given enough eyeballs, all bugs are shallow"
The key is "given enough eyeballs". Short of the really big open source projects, there is only a handful of people who are both qualified to review the code and willing to. Or restructuring this statement, all bugs are not shallow, unless the FOSS project has enough eyeballs. Therefore, it is not a statement on the quality of FOSS in general. Rather it is a statement that the correctness of a software system is dependent on a variable linked positively to the # (and arguably, the "quality") of the eyes looking at it.
But that doesn't even require FOSS necessarily. Right? Because you know, Microsoft can hire a metric ton of high quality eyes to look over their code. If they do this, under Linus's law their bugs will be shallow. I don't disagree with this. I think Linus's law is pretty reasonable, it's just that people have been reading and extending it incorrectly.
So what is something that we can claim is a characteristic of FOSS that doesn't exist in proprietary systems when it comes to security and bug fixing?
At the basic level, open source allows (but does not guarantee) the existence of independent review of other people's original code, even without informing the original author's first. Proprietary software well, does not. It's just fact. Maybe that's what should be been made into a law. I call it Bass's law.