The audit occurred because testing revealed the presence of a problem. Shutting the stable door after the horse has bolted is no vindication of open source.
The vulnerability was first found by a fuzzer, which would have worked equally well on closed-source software. And I believe the fuzz tester (part of Codenomicon's "Defensics") is also closed-source.
You misunderstand - how would the public have found out about the results of that audit? There is no incentive to release this information for a closed product; very much the opposite.
This point is important. Testing came first and then auditing. In other words, black box testing and then white box testing. Why pretend you are better off just because you have millions of lines of inscrutable source?
