This question was brought up recenly in a forum I frequent, and I decided I should go on the record here on the blog. In short, my view is this:
I believe, as many others do, that it doesn’t necessarily mean anything at all, in terms of security, for a project to be open vs. closed source. It’s all about the quality of the work being done on a given project.
100 highly-skilled, security-oriented programmers working diligently on a closed-source project are likely to produce superior code to that of 1000 untrained hobbyists.
The concept of many eyes only works when the quality is the same, i.e. 1000 vs. 10,000 developers of comparible skillsets. When the quality of the work on a project is different, i.e. the closed-source coders are superior to their open counterparts (or vice versa), it’s that work quality that determines the code quality, not the development model.