Take Wordpress as an example, the code is open source, yet the majority of loopholes come from plugins, not really the core.
But, we never know.