the exchange hack cases that i know of have never been because of a security flaw in their systems.
Exhibit 1: Bitgrail - 170M $
They had a vulnerability which allowed people to withdraw funds they did not have. A lot of ETH and NANO have been stolen this way.
The extremely embarrassing mistake which lead to that was that sanity checks have been handled client-side (javascrit; LOL).
Exhibit 2: GateHub - 10M $
The attacker gained person to a database holding (valid) API tokens of their customer.
These have been used to withdraw funds.
Exhibit 3: Bitfinex - 72M $ (120K BTC at that time)
Bitfinex hat a flaw in the design of their system.
They were using multisig wallets in cooperatin with Bitgo as a co-signer.
Unfortunately, the Bitgo server basically signed whatever bitfinex wanted to be signed.
Once an attacker gained access to the bitfinex server, he let 1) bitfinex sign a transaction and 2) told bitgo to co-sign it from the bitfinex server.
And these 3 are definitely not all cases where security flaws in the technology and the system-design were the reason for funds being stolen.
[...] but i still prefer open source software because the closed source one is audited by one person/team while the open source one can be audited by thousands and they usually are (the popular ones anyways).
The problem is that auditing can never find all technical- and design flaws.
The software has to be built with security in mind - from the beginning.
'Implementing' security afterwards, almost always goes wrong.