That's exactly it. When a startup is just starting, the bugs can be exposed and exploited. Someone's got to fix them. Not every project is huge like linux and webkit. Yes, the mantra is with enough eyes, all bugs are shallow, but in the meantime anything that could be exploited would be exploited, if the network becomes big. The effort to result ratio would be small.
Security by obscurity can be better than exposing all your code to the world where any hacked can compromise the whole network, BEFORE the fix is patched.
And even with open source, would I trust a random small host to secure it better than google? Look at all the android vendors that don't even install the latest patches.
Fuzzing systems find exploits quite effectively in systems that are only available as binaries or APIs. SBO only really works if you're obscure in the sense that hardly anyone is using the system.
Security by obscurity can be better than exposing all your code to the world where any hacked can compromise the whole network, BEFORE the fix is patched.
And even with open source, would I trust a random small host to secure it better than google? Look at all the android vendors that don't even install the latest patches.