Ledger is not completely open source. Trezor is.
You are right.
Every software should be open source, as it is much safer.
However trezor has vulnerabilities which ledger doesn't like this one
So everyone with a trezor device should use a strong passphrase to protect yourself against this vulnerability
https://cryptobit.media/en/news/other/1789/