That is why Ledger has something that is known as "Responsibly Disclosing of Vulnerabilities".
https://www.ledger.com/our-shared-security-responsibly-disclosing-competitor-vulnerabilities/They don't simply make the findings public when they are discovered. They analyze them and inform the affected party, in this case Trezor, about their findings. The developers are given time to fix the issues before they go public.
Open source is always better than closed source. You need to know what is going on under the hood. With closed source software your usage is based on just a promise that the developers intentions are good.
It's more a matter of context. GitHub, the worlds largest host of source code, indicates that there are only around 180 contributors to the open source code of the oldest hardware wallet brand, Trezor. This statistic stands in sharp contrast with the communities of other hardware products such as the Raspberry Pi, whose contributors to its open source firmware number around 9,500. In the context of our relatively small development community, we need to be especially wary of the fact that sharing source code is a double-edged sword. For hardware wallets, the unfortunate truth is that releasing source code makes it easier for hackers to detect loopholes and carry out attacks. Open source code can even open the door for cybercriminals to produce counterfeit hardware wallets capable of deceiving consumers a security threat Trezor has already been the victim of:
https://cointelegraph.com/news/trezor-one-wallets-forgery-reveals-new-techniques-used-to-steal-crypto