Source: Mempko blog - Link
In Code Complete, Steve McConnell wrote extensively on defects in production systems. The industry average defect rate is about 15 – 50 bugs per 1000 lines of code. Some techniques used by NASA can get bug count to almost zero. Open source software likely has MORE bugs per 1000 lines of code because most open source projects have 1 developer and no eyeballs.
One developer and no eyeballs. Kinda kills that whole “OSS is more secure because everyone sees it” narrative. True from some projects, but only some.