[bmalehorn]

As a former Cisco employee, I can tell you why companies never want to open source their security-sensitive products:

Pros of open sourcing a product:

- fewer total number of vulnerabilities

Cons of open sourcing a product:

- more publicly-known vulnerabilities

- less effort required to find new vulnerabilities

The product might be more objectively secure, with more bug reports and more fixes.

But it will be less practically secure. There will be more known vulnerabilities, and many customers can't upgrade, leaving more total vulnerable customers. And worse, now anyone on the internet can try and find new vulnerabilities for $0, while before they'd need to buy a $1,000+ piece of hardware to even get a shot at the compiled code.

The real defense against this problem is security auditing. Security engineers try to hack the device while asking a bunch of questions about SSH connections and private keys. This is the technique most companies employ, often combined with bug bounties.

[neilv]

Auditor: "Question 1. Did you manage to add backdoor keys to your production build?"

Auditor: "Big surprise. We once again recommend that you use a build system. Question 2. ..."

[dngray]

Really what you're saying is that if you open source your product the degree of shittyness will be then obvious to everyone, and that security by obscurity keeps the managers happy because they think there is less work.