I really think you're overstating things because that's not true for a majority of people. A 0-day found in open source code is no different than a 0-day in closed source. In both cases you need to responsibly disclose it to the maintainer and sit and wait for the fix to trickle through support channels. With open source you can attempt to submit a patch.

If I found a bug in ssl, I can't imagine I'd re-compile that and track down every package I use that relies on it and re-compile those. Everyone uses their own build system and managing dependencies suck. I'd try and mitigate the risk against those tools until fixes were distributed through normal channels--just like I would in Windows or macOS.

If I was a large company, with closed source software I would have a vendor agreement to get fixes/changes, with open source I would have the expertise in-house and extra labor (or I'd have an agreement with a support company like Red Hat much like closed source software). A small company likely won't have the expertise in house or the spare bandwidth to mess with those things. For home users it would have to be someone with a serious hobby and specific skills.