Free as in freedom, not beer. You can look at the code of the free software, therefore tell if it's phoning home or not. More importantly, changing it.
Exactly. This is how the Google Chromium always-on voice recognition payload was discovered, for example. We may never have known about it if it wasn't an open source project, or at least we wouldn't have heard about it until long after it shipped.
Not many, but the effort is parallelizable. If you find a security problem and report it in public, others can verify it, and still others can benefit from the fix even if they never would have bothered to look for themselves.