The security of a product has nothing to do with whether it is open or closed source. It has everything to do with whether you use secure programming practices when you write and test your code.
Also heartbleed is, whilst quite serious and needing to be urgently patched, not any more or less serious than a whole ton of other bugs that come out in any given year.
Remember the YAML deserialization bug which was RCE against a fairly large fraction of the Internet? Or the web.config padding oracle that was RCE versus most IIS installs? Or how about the MS-0867 bug, which was RCE against basically any Windows machine at the time.
You could have used any of those bugs to take SSL private keys and userdata from a webserver, and considerably more.
And that's before we even go into vulnerabilities that are functionally equivalent to Heartbleed, but without the same level of media-fueled hysteria - like the Debian random bug, Apple's goto fail and CVE-2011-4315 which is identical in behavior to the heartbleed vulnerability but affecting just nginx instead of all of OpenSSL.
RCE in a web server? Bleh. Web servers will be web servers. I think a lot of hysteria comes from the fact that the bug is in an SSL library, who's entire purpose to some extent is to provide security. Security hole in a security library? That's scandalous. Especially when compounded with all the latent hysteria over the months from you know what.
If we can't have a bug free SSL implementation, what can we trust? Also that it has a cool name and even its own hipster-approved logo and Bootstrap web site. Who can get excited over something named CVE-034984785474-3-3083e78wehhd7sce in some government database?
Although to be fair, maybe people should start getting excited over things like these. Heartbleed (aka. CVE-2014-0160... :) ) was one of the best marketed security vulnerabilities ever. There is a lot of the security community could learn from that.