Security benefit and risk
That sounds about right.
Open source, particularly in bigger projects can have far more visibility, testing and shorter remediation times. This is great, however, this is countered by do I trust those libraries maintained by a retired guy and his cat? Have all the relied upon libraries been maintained. Who is looking out for poor quality or malicious code changes? If I find a problem with a library can I get someone to fix it or do I have to attempt to fix it myself?
This is why enterprises go to red-hat (or equivalents) , and are generally not encouraging random code downloads of code stumbled across on the internet.
Open source is a very flexible world, albeit with a common aim, so its no wonder the answers look a bit conflicted.