Companies utilizing Open Source can do, nay, MUST do the following :
- Contribute to OSS by either assigning a programmer/team (on their side) to check for vulnerabilities, or either do a donation on a monthly basis. You won't like it when you're asked to work but won't be getting paid for it.
- Recognize the need for thorough pen testing, especially if most of your services are on publicly-accessible servers, and have sensitive data or personal information, no matter whether you use M$, Sun, Oracle, Hillbilly or whatever software. Vulnerabilities will exist (incorrect configuration, software bugs etc etc), and it is up to you to make sure you have migitated all of them.
- Oh, and last, but not least, plan for when a pwnage will occur, what you will do, who will be responsible to sort that mess out, press/social media responses etc etc.