[BoringCode]

I am concurring with you. The point I'm making is that it's a matter of resources and trust, not literal "open source" that matters.

If I trust an organization to put the resources towards properly auditing their software, that's often far more important then whether or not I can personally do an audit. The majority of people and organizations do not have the time or technical skills to properly evaluate software. Whether the software they use is open-source won't ultimately matter.

The "many eyes" argument often falls apart because most of the time there simply aren't that many eyes dedicated to a project. What is the practical difference between Microsoft hiring 100 people to perform security audits and an open-source project that has 100 volunteers? Resources and trust. If you trust the open-source project to dedicate resources to security, and their software fits in your threat model, then use it. Or the inverse, if you don't trust MS and their software doesn't fit: avoid it. The vast majority of the time open-source vs closed-source should not be the main differentiator, but rather a smaller element of an informed decision.