The vulnerability was first found by a fuzzer, which would have worked equally well on closed-source software. And I believe the fuzz tester (part of Codenomicon's "Defensics") is also closed-source.
You misunderstand - how would the public have found out about the results of that audit? There is no incentive to release this information for a closed product; very much the opposite.