Let's always remember though, that open-source and DIY does not guarantee security of the codebase. It's possible / plausible that especially a newer, smaller DIY project with few, non-monetarily-motivated developers has had less 'eyes on the code' and fewer professional penetration tests against it than a commercially developed and sold product.
True, but in the same time there is much less danger that some attacker would even try to attack relative unknown devices like this.
It's almost impossible for them to achieve anything because this devices are mostly air-gapped (seedsigner, krux), unless you download and install some malicious firmware update.