It is always harder, because it always take more time.
We don't know the ratio (how many bugs more would have been found if VMware would be open source)
We can agree to disagree. I just don’t think it’s the high order bit in determining the rate of vulnerability discovery - in my opinion the commercial utility (white / black / grey) of the exploits is a more important factor in determining how quickly they are found.