Nobody said that open source has no security bugs. No software that does something useful is bug-free.