That's a fallacy.
Closed-source software is nowhere close to better than reputable open-source software in terms of security. Being open-source doesn't mean more vulnerable than closed-source. Most attacks, from dynamic which work as a black-box (push inputs, observe outputs) to static which use pattern matches against binaries require no source code. Even if source code is necessary for an attacker, they can use disassemblers to reverse engineer part of the source code they want.
All in all, even if the entire source code is required, and the attacker can't reverse engineer the entire thing, revealing the source code, if reputable, can attract more defenders than attackers. If the software is not open-source, there can't be defenders. Only the centralized entity of developers that are responsible for it.
So, if somebody ever tells you this:
we don't want you to see how we run the codes, you can target us or something
You should respond them that if they rely on closed-sourceness for their security, they are benighted.