[imtringued]

Open source software has "more" vulnerabilities because more of them get reported. With proprietary software black hats are gathering exploits in a weapons silo ready to be sold on the black market.

For some reason businesses prefer to cover up their vulnerabilities instead of fixing them. When you report a vulnerability as a white hat there is a big risk that the company will use you as a scapegoat and sue you. For a business it is much easier to claim that they "caught a hacker" rather than admit their weakness in public.

Hackerone is basically a "vulnerability blackhole as a service" because researchers are dependent on bounties for their income. Disclosing an ignored vulnerability publicly weeks or months after the hackerone report can lead to getting banned on hackerone and thereby ruin your ability to collect bounties.