Going to play Devil’s advocate here, but open source does not automatically mean that things are safe or that anyone is even auditing the code on anything that resembles a regular basis.

Heartbleed was introduced into OpenSSL source code in 2012 and wasn’t discovered and fixed until 2014