Contrary to what Ledger is trying to sell, trusting a single company to "do the right thing" is not even remotely the same as having thousands of developers and hackers -- independent and contracted alike -- making sure that there's nothing fishy going on. It simply isn't.
I agree with you to some extent. However, I want to mention all those Dapps, decentralized liquidity providers, DEXs for ETH tokens and the likes that have been hacked or exit scammed numerous times in the past. Their open-source nature didn't prevent it. Nobody noticed the vulnerabilities until the money was gone. "Security experts" provided them with their seals of guarantee which proved to be useless after hackers found ways to breech the platforms. Just because there is a way to inspect a code doesn't mean those doing it put that much effort into it.
Good point!
To clarify, I'm under no delusion that open source means 100% security -- see Heartbleed affecting OpenSSL for example. I'm just saying that the level of trust required and security provided by open sourcing your code is on a wholly different level.
Dapps and DEXs are actually a great example of the limits of using the many eyes principles of open source for additional security and trustlessness: (1) The developer communities are much smaller because they are splintered across a variety of projects, (2) the incentives for using an exploit yourself rather than doing a responsible disclosure are much higher (i.e. while you
could monetize a 0-day you find on a hardware wallet or cryptographic library by selling them, exploiting a smart contract nets a
much higher pay day without an intermediary) and (3) those projects unfortunately often come with both a leadership and community that tend to downplay and sometimes silence valid concerns as FUD (IIRC SOL was the posterboy for that).