That’s essentially my point. Just finding simple code quality issues isn’t going to cut it, especially when you need hundreds of thousands of dollars of hardware to even test the code against.
Open sourcing my MRI scans for the general public to read "doesn't hurt" either. Doesn't mean it's a worthwhile/valuable thing to do.
And I also challenge you on "it doesn't hurt". Consider military adversaries developing targeted attacks against critical infrastructure because it's open sourced.