Re: Did I understand this right?
These days "closed source" often includes a pile of "open source" libraries anyway, so you get the same vulns as open source, plus an extra delay as the vendor incorporates the updates and redistributes their software. FWIW there is a metric crap-ton of *very out of date* vulnerable Open Source software incorporated into every single vendor product I've looked at as part of my day job so far. It's a royal ballache. :(