In addition to the many xscreensaver bugs over the years that the sibling post mentioned, last year there was a systemd root escalation exploit that was the same class of programming error as Apple's bug that enabled the root account with an empty password. From my understanding, in both cases they misinterpreted the return code's magic number (-1) as something it wasn't.
Also, Linus' Law has some doubters. Things like Heartbleed show that Open Source isn't immune to long-standing, very impactful bugs.
I completely agree it is an advantage and I'm very happy there are options that are mostly Open Source (I say mostly because I'm not a fan of binary drivers, which are often a necessity for decent performance or features).
> Why all-or-nothin?
The parent was citing the existence of a few specific bugs in macOS and Open Source as an alternative (implying it wasn't vulnerable). I really think the "given enough eyeballs, all bugs are shallow" is something Open Source advocates take too much comfort in. The idea does have merit, but there needs to be more study/context to how it plays out in real life.
Another example where this idea fails; there are credible suspicions that the NSA has influenced encryption standards introducing backdoors or known flaws even though the algorithms themselves are publicly known and freely available as well as the implementations.
I really think you're overstating things because that's not true for a majority of people. A 0-day found in open source code is no different than a 0-day in closed source. In both cases you need to responsibly disclose it to the maintainer and sit and wait for the fix to trickle through support channels. With open source you can attempt to submit a patch.
If I found a bug in ssl, I can't imagine I'd re-compile that and track down every package I use that relies on it and re-compile those. Everyone uses their own build system and managing dependencies suck. I'd try and mitigate the risk against those tools until fixes were distributed through normal channels--just like I would in Windows or macOS.
If I was a large company, with closed source software I would have a vendor agreement to get fixes/changes, with open source I would have the expertise in-house and extra labor (or I'd have an agreement with a support company like Red Hat much like closed source software). A small company likely won't have the expertise in house or the spare bandwidth to mess with those things. For home users it would have to be someone with a serious hobby and specific skills.
Also, Linus' Law has some doubters. Things like Heartbleed show that Open Source isn't immune to long-standing, very impactful bugs.