That is why Ledger has something that is known as "Responsibly Disclosing of Vulnerabilities". https://www.ledger.com/our-shared-security-responsibly-disclosing-competitor-vulnerabilities/
They don't simply make the findings public when they are discovered. They analyze them and inform the affected party, in this case Trezor, about their findings. The developers are given time to fix the issues before they go public.

Open source is always better than closed source. You need to know what is going on under the hood. With closed source software your usage is based on just a promise that the developers intentions are good.