Does the current evidence noted by fallat — the massive amount of extremely high impact open source projects that don't have malware embedded in them — suggest the error rate is much much lower that 1%?
Open source projects are not a good point of reference because by their very nature they invite external validation. If you are trying to steal $300M, you don't tell people before hand that you are going to do it. There also a difference between the money being right there, only one step away from being yours and infecting open source software with the possibility of maybe stealing something in some company that may or may not use your software in a way that would allow theft months or years after you submitted an update.
Edit: After doing some research, it appears that claims that open source doesn't fall victim to this problem are factually incorrect. [0]
Edit: After doing some research, it appears that claims that open source doesn't fall victim to this problem are factually incorrect. [0]
[0] https://blog.sonatype.com/open-source-attacks-on-the-rise-to...